The operating system my web server runs on is (include version): ubuntu 18.04.6 LTS
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0
Hi,
so again my certificate needs to be renewed but I totaly forgot how I did it the last time. I thought that I had some kind of auto renew but it doesn't seems like it.
So I tried to renew the certificate with certbot renew but that fails with this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/noobs.fun-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (noobs.fun-0001) from /etc/letsencrypt/renewal/noobs.fun-0001.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/noobs.fun-0001/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/noobs.fun-0001/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
How can I renew the certificate and how can I activate the auto renew function?
How do I switch the authentication method to enable auto renew in the future?
btw, I would prefer that the path doesn't change where the cert and key is located because some applications I use, use the exact path. I don't know if this is important because you mentiont that there is a -0001 in the name.
The path usually only changes if/when you use a similar (but not exact same) set of domain names.
So, I suspect that at some point you had another cert with less, or more, name(s) on it.
You basically reissue/renew the cert; that will record that method used into the renewal process file.
That said, I see that you got a wildcard cert.
Wildcard certs can only be authenticated via DNS.
If your DNS Service Provider (DSP) doesn't support DNS updates via API, you won't be able to automate renewals that way and won't be able to automate the wildcard entry.
If that is the case, you might consider spelling out all the names that you actually need - LE certs can hold up to 100 names in the SAN field.
If the DSP does support updates via API, then you will need to use an ACME client that supports a plugin that works with that DSP.
I'm not very well known with acme.sh but I think those are the destination options for those files. I.e.: where the files will go after you got them from the Let's Encrypt API.
Oh, I didnt know. So I think I will do it with the plugin then. I got acme running but I dont 100% know what the right command is to get it to work with a wildcard cert.
Do you think this command will be the one I want to run for the wildcard one?:
certbot certonly \
> --dns-ovh \
> --dns-ovh-credentials ~/.secrets/certbot/ovh.ini \
> -d noobs.fun \
> -d *.noobs.fun
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-ovh-credentials /root/.secrets/certbot/ovh.ini
Why does it not know the '--dns-ovh-credentials' command?
Did you also run sudo snap set certbot trust-plugin-with-root=okbefore that DNS plugin install command? If not, run this command and afterwards, re-install the DNS plugin.
Next, you can check the available plugins by running certbot plugins.
Looking at the ancient version of certbot you're currently running, you installed it using apt. You can check by running apt list certbot.
If you indeed used apt go install certbot, I recommend to switch to snap using the official certbot documentation for wildcard certificates here: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx#wildcard In the instructions, it has a step where you should remove the certbot installed using apt and continue using snap.
At the step where I install certbot with sudo snap install --classic certbot, I get this message:
error: cannot perform the following tasks:
- Run hook prepare-plug-plugin of snap "certbot" (run hook "prepare-plug-plugin":
-----
Only connect this interface if you trust the plugin author to have root on the system.
Run `snap set certbot trust-plugin-with-root=ok` to acknowledge this and then run this command again to perform the connection.
If that doesn't work, you may need to remove all certbot-dns-* plugins from the system, then try installing the certbot snap again.
-----)
Running snap set certbot trust-plugin-with-root=ok like written in the message doesn't work because snap certbot can't befound.
Edit: Ok, I needed to remove the dns plugin first. Now its working