Removed Cloudflare. How to setup certbot auto renew? (error output included)


#1

My domain is:
haydenjames.io

I ran this command:
# certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/lets    ypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/web.haydenjames.io.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/web.haydenjames.io.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/haydenjames.io.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert from /etc/letsencrypt/renewal/haydenjames.io.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/web.haydenjames.io/fullchain.pem (failure)
  /etc/letsencrypt/live/haydenjames.io/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
2 renew failure(s), 0 parse failure(s)

My web server is (include version):
nginx/1.10.3

The operating system my web server runs on is (include version):
Debian 9.4

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Previous thread (if useful to current setup):
Cloudflare certbot renew automation – However, I no longer use Cloudflare so would like to setup cerbot auto renew.

Thanks!


#2

Hi @james_1,

Regarding domain web.haydenjames.io could you please show the content of /etc/letsencrypt/renewal/web.haydenjames.io.conf?. Also, what was the command used to issue the certificate the first time?

Regarding domain haydenjames.io, seems you issued the certificate using the manual method and it won’t be able to renew your cert automatically if you don’t provide a script to create the challenges automatically or you use some of the dns plugins to automate it, seems you are using dns made easy as dns provider but don’t know if your plan provides access to the REST API, if that is the case you could use certbot-auto and certbot dnsmadeeasy plugin or lexicon plugin.

Also, maybe you don’t need to validate your domain using dns and you could use the webroot method…

Cheers,
sahsanu


#3

Thanks for the help.

Contents of /etc/letsencrypt/renewal/web.haydenjames.io.conf:

# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/web.haydenjames.io
cert = /etc/letsencrypt/live/web.haydenjames.io/cert.pem
privkey = /etc/letsencrypt/live/web.haydenjames.io/privkey.pem
chain = /etc/letsencrypt/live/web.haydenjames.io/chain.pem
fullchain = /etc/letsencrypt/live/web.haydenjames.io/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = nginx
installer = nginx
account = [xxx...]

However, I can probably uninstall the web.haydenjames.io cert as its not in use anymore.

Yes, the manual method had to be used as per Cloudflare issue at the time (see support thread linked to at end of previous post).

Using REST API would have been nice. But only available to DNSmadeEasy Business and Corporate accounts.

Here’s the output of the webroot method:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/web.haydenjames.io.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for web.haydenjames.io
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/haydenjames.io.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert from /etc/letsencrypt/renewal/haydenjames.io.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/web.haydenjames.io/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/haydenjames.io/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

Edit: No I don’t remember the original command used. It’s fallen off the command history as well. Sorry.


#4

Let’s try webroot method directly, show the output of this command:

certbot certonly --cert-name haydenjames.io -a webroot -w /usr/share/nginx/html/ -d haydenjames.io,www.haydenjames.io --dry-run

#5

This works!

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for haydenjames.io
http-01 challenge for www.haydenjames.io
Using the webroot path /usr/share/nginx/html/ for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0011_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0011_csr-certbot.pem

So for auto renewal I cannot use the “certbot renew…” command with cron for auto renew? Will have to use certbot certonly?..


#6

If that command works, then issue the command again and this time remove --dry-run param to issue a new certificate:

certbot certonly --cert-name haydenjames.io -a webroot -w /usr/share/nginx/html/ -d haydenjames.io,www.haydenjames.io

and from now on, certbot renew will work fine. Also, if you don’t need the certificate issued to web.haydenjames.io then use certbot delete command and remove it.


#7

Thanks. Followed that and replaced with new.

As you mentioned the certbot renew now works:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/haydenjames.io.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for haydenjames.io
http-01 challenge for www.haydenjames.io
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0015_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0015_csr-certbot.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/haydenjames.io/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

#8

Just a note for anyone else following this in future. After deleting the unused cert, nginx -t resulted in:

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/web.haydenjames.io/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/web.haydenjames.io/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

remember clean up SSL config. Not sure if this should have happened automatically with the delete but it didn’t. Once I deleted the “managed by certbot” lines… then nginx -t passed.


#9

Hi @james_1,

Just one thing, as you are using nginx, you would like to reload it when the certificate is renewed so nginx will load the new cert. To do so automatically, edit the renewal conf file /etc/letsencrypt/renewal/haydenjames.io.conf and in section [renewalparams] add the following line:

renew_hook = service nginx reload

or if you are using systemd add this line:

renew_hook = systemctl reload nginx

Cheers,
sahsanu


#10

Just for reference, currently not. Thanks for sharing your suggestion with other users.


#11

Thanks!!

Now looks like this:

[renewalparams]
authenticator = webroot
installer = None
account = [xxx…]
webroot_path = /usr/share/nginx/html/,
renew_hook = systemctl reload nginx


#12

I forgot the details of this but if you encounter any problems related to the webroot, you might want to remove the comma at the end of the webroot_path line. However, possibly Certbot’s parser already removes it for you when interpreting the file!


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.