Renew certificate & auto renew

My domain is: noobs.fun (https://crt.sh/?q=noobs.fun)

The operating system my web server runs on is (include version): ubuntu 18.04.6 LTS

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Hi,

so again my certificate needs to be renewed but I totaly forgot how I did it the last time. I thought that I had some kind of auto renew but it doesn't seems like it.

So I tried to renew the certificate with certbot renew but that fails with this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/noobs.fun-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (noobs.fun-0001) from /etc/letsencrypt/renewal/noobs.fun-0001.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/noobs.fun-0001/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/noobs.fun-0001/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

How can I renew the certificate and how can I activate the auto renew function?

Hi @Sirzento and welcome to the LE community forum :slight_smile:

It seems that you issued the last cert manually - which can't be automated.
You need to switch to another authentication method that can be automated.

Also I see "-0001" in the renewal config file name.
Please show the output of:
certbot certificates

4 Likes

Hi @rg305 ,

thats my output of certbot certificates:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: noobs.fun-0001
    Domains: *.noobs.fun noobs.fun
    Expiry Date: 2021-11-02 12:32:49+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/noobs.fun-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/noobs.fun-0001/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

How do I switch the authentication method to enable auto renew in the future?

btw, I would prefer that the path doesn't change where the cert and key is located because some applications I use, use the exact path. I don't know if this is important because you mentiont that there is a -0001 in the name.

2 Likes

The path usually only changes if/when you use a similar (but not exact same) set of domain names.
So, I suspect that at some point you had another cert with less, or more, name(s) on it.

You basically reissue/renew the cert; that will record that method used into the renewal process file.
That said, I see that you got a wildcard cert.
Wildcard certs can only be authenticated via DNS.
If your DNS Service Provider (DSP) doesn't support DNS updates via API, you won't be able to automate renewals that way and won't be able to automate the wildcard entry.
If that is the case, you might consider spelling out all the names that you actually need - LE certs can hold up to 100 names in the SAN field.
If the DSP does support updates via API, then you will need to use an ACME client that supports a plugin that works with that DSP.

4 Likes

Ok good to know.

I did search a bit and I saw that my DSP does have an API for that. I saw a small tutorial how to set it up. Tutorial

Does that looks alright?

Edit:
Also the command I found:

acme.sh --issue --staging -d meine.domain.com --dns dns_ovh --cert-file /etc/nginx/ssl/meine.domain.com.cert.pem --key-file /etc/nginx/ssl/meine.domain.com.key.pem --ca-file /etc/nginx/ssl/meine.domain.com.ca.pem --fullchain-file /etc/nginx/ssl/meine.domain.com.chain.pem

But that does need a cert file, key file, ca file and fullchain file. Do I have all that?

I'm not very well known with acme.sh but I think those are the destination options for those files. I.e.: where the files will go after you got them from the Let's Encrypt API.

Also, certbot has a certbot-dns-ohv plugin too. See User Guide — Certbot 1.21.0.dev0 documentation and Welcome to certbot-dns-ovh’s documentation! — certbot-dns-ovh 0 documentation

5 Likes

Oh, I didnt know. So I think I will do it with the plugin then. I got acme running but I dont 100% know what the right command is to get it to work with a wildcard cert.

Do you think this command will be the one I want to run for the wildcard one?:

certbot certonly \
  --dns-ovh \
  --dns-ovh-credentials ~/.secrets/certbot/ovh.ini \
  -d noobs.fun \
  -d *.noobs.fun
2 Likes

New error here:

certbot certonly \
>   --dns-ovh \
>   --dns-ovh-credentials ~/.secrets/certbot/ovh.ini \
>   -d noobs.fun \
>   -d *.noobs.fun
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-ovh-credentials /root/.secrets/certbot/ovh.ini

Why does it not know the '--dns-ovh-credentials' command?

The DNS plugins need to be installed separately.

3 Likes

I thought I already did this. I ran the command snap install certbot-dns-ovh to install it. Or is this not the right command for that?

Did you also run sudo snap set certbot trust-plugin-with-root=ok before that DNS plugin install command? If not, run this command and afterwards, re-install the DNS plugin.

Next, you can check the available plugins by running certbot plugins.

3 Likes

No. When I try to run this command, i get this message: error: snap "certbot" not found

Also, this is the output of certbot plugins:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I don't know why the plugin isn't listed there..

It seems you didn't install certbot through snap in the first place? How did you install certbot itself?

Probably because you're using different installation methods for the DNS plugins and certbot itself.

3 Likes

Could be. I can't remember how I installed it. Can I somewhere look how it was installed?

Looking at the ancient version of certbot you're currently running, you installed it using apt. You can check by running apt list certbot.

If you indeed used apt go install certbot, I recommend to switch to snap using the official certbot documentation for wildcard certificates here: Certbot - Ubuntubionic Nginx In the instructions, it has a step where you should remove the certbot installed using apt and continue using snap.

3 Likes

Ok, I will do that.

At the step where I install certbot with sudo snap install --classic certbot, I get this message:

error: cannot perform the following tasks:
- Run hook prepare-plug-plugin of snap "certbot" (run hook "prepare-plug-plugin":
-----
Only connect this interface if you trust the plugin author to have root on the system.
Run `snap set certbot trust-plugin-with-root=ok` to acknowledge this and then run this command again to perform the connection.
If that doesn't work, you may need to remove all certbot-dns-* plugins from the system, then try installing the certbot snap again.
-----)

Running snap set certbot trust-plugin-with-root=ok like written in the message doesn't work because snap certbot can't befound.

Edit: Ok, I needed to remove the dns plugin first. Now its working

1 Like

Ok now everything seems to work.

Thanks for all your help :slight_smile:

4 Likes

Great! I can indeed see your new certificate on crt.sh!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.