Renew certificate error

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.innpro.in

I ran this command: sudo certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/innpro.in.conf

Failed to renew certificate innpro.in with error: The manual plugin is not working; there may be problems with your existing configurati
on.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interacti
vely.')

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/innpro.in/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-ru
n Certbot with -v for more details.

My web server is (include version): aws lightsail Amazon Linux 2023

The operating system my web server runs on is (include version): Amazon Linux 2023

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

2

Error I see in the letsencrypt.log file.

2025-01-18 17:35:13,521:DEBUG:certbot._internal.main:certbot version: 2.6.0
2025-01-18 17:35:13,522:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2025-01-18 17:35:13,522:DEBUG:certbot._internal.main:Arguments:
2025-01-18 17:35:13,523:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-01-18 17:35:13,539:DEBUG:certbot._internal.log:Root logging level set at 30
2025-01-18 17:35:13,545:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/innpro.in.conf
2025-01-18 17:35:13,562:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7fc165734f70> and installer <certbot._internal.cli.cli_utils._Default object at 0x7fc165734f70>
2025-01-18 17:35:13,610:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): e5.o.lencr.org:80
2025-01-18 17:35:13,636:DEBUG:urllib3.connectionpool:http://e5.o.lencr.org:80 "POST / HTTP/1.1" 200 345
2025-01-18 17:35:13,637:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/innpro.in/cert5.pem is signed by the certificate's issuer.
2025-01-18 17:35:13,640:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/innpro.in/cert5.pem is: OCSPCertStatus.GOOD
2025-01-18 17:35:13,645:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2025-02-04 18:37:26 UTC.
2025-01-18 17:35:13,645:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2025-01-18 17:35:13,645:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2025-01-18 17:35:13,647:DEBUG:certbot._internal.plugins.disco:Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/disco.py", line 111, in prepare
self._initialized.prepare()
File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/manual.py", line 115, in prepare
raise errors.PluginError(
certbot.errors.PluginError: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
2025-01-18 17:35:13,649:DEBUG:certbot._internal.plugins.selection:No candidate plugin
2025-01-18 17:35:13,649:ERROR:certbot._internal.renewal:Failed to renew certificate innpro.in with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
2025-01-18 17:35:13,651:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 533, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1544, in renew_cert
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/selection.py", line 256, in choose_configurator_plugins
diagnose_configurator_problem("authenticator", req_auth, plugins)
File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/selection.py", line 374, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

2025-01-18 17:35:13,651:DEBUG:certbot._internal.display.obj:Notifying user:

2025-01-18 17:35:13,651:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2025-01-18 17:35:13,652:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/innpro.in/fullchain.pem (failure)
2025-01-18 17:35:13,652:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-01-18 17:35:13,652:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
sys.exit(main())
File "/usr/lib/python3.9/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1636, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 559, in handle_renewal_request
raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2025-01-18 17:35:13,655:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

3

Hi @srikanthpolineni,

Here is a list of issued certificates crt.sh | innpro.in, the most recent being 2025-01-18 and it is a wildcard certificate which will cover www.innpro.in. Also I do not see any previously issued certificate for just www.innpro.in, thus renewal should be an issue presently.

Edit

However the certificate presently being served is crt.sh | 15306878171 which is not the most recent.

        Validity
            Not Before: Nov  6 18:37:27 2024 GMT
            Not After : Feb  4 18:37:26 2025 GMT

This is what I see with curl showing Server: nginx/1.24.0.

~$ curl -Ii http://www.innpro.in
HTTP/1.1 301 Moved Permanently
Server: nginx/1.24.0
Date: Sat, 18 Jan 2025 18:23:17 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://www.innpro.in/

$ curl -Ii https://www.innpro.in
HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Sat, 18 Jan 2025 18:23:25 GMT
Content-Type: text/html
Content-Length: 764
Last-Modified: Mon, 13 Jan 2025 15:58:13 GMT
Connection: keep-alive
ETag: "67853815-2fc"
Accept-Ranges: bytes

Please show the output of sudo certbot certificates and for this command sudo nginx -T as well.

2 Likes
4

@Bruce5051

It used be just innpro.in, but last time I updated with innpro.in and *.InnPro.in. this is the first I'm doing renewal after generating *.InnPro.in.

Can you please help me on how to fix this issue. Can I revoke / delete all certificates and start creating new ones for both innpro.in and *.InnPro.in ? Any help will be much appreciated. Thanks in advance.

6

In general for a wildcard certificate you would want both domain names innpro.in and *.innpro.in on the certificate's SANs.

2 Likes
7

Here is what I had (where renew created new cert 0001)

[ec2-user@ip-172-26-4-22 ~]$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: innpro.in-0001
Serial Number: 4b2aea609dff7370a76d2af2ac1fd47141d
Key Type: ECDSA
Domains: *.innpro.in
Expiry Date: 2025-04-18 15:32:28+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/innpro.in-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/innpro.in-0001/privkey.pem
Certificate Name: innpro.in
Serial Number: 34b45e415cec5b73fbda2580494632dc352
Key Type: ECDSA
Domains: *.innpro.in innpro.in
Expiry Date: 2025-02-04 18:37:26+00:00 (VALID: 17 days)
Certificate Path: /etc/letsencrypt/live/innpro.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/innpro.in/privkey.pem

But i removed innpro.in-0001 using below command
sudo certbot delete --cert-name innpro.in-0001

now the latest command output is

[ec2-user@ip-172-26-4-22 ~]$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: innpro.in
Serial Number: 34b45e415cec5b73fbda2580494632dc352
Key Type: ECDSA
Domains: *.innpro.in innpro.in
Expiry Date: 2025-02-04 18:37:26+00:00 (VALID: 17 days)
Certificate Path: /etc/letsencrypt/live/innpro.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/innpro.in/privkey.pem

8

Revoking is not necessary unless your private key has been compromised. It won't help the renewal.

Your renewal is failing simply because you used a --manual option. The renew command cannot auto-renew a manually requested cert. You have to repeat your original command or use the --manual-auth-hook. All of this is described in the Certbot docs: User Guide — Certbot 3.2.0.dev0 documentation

Do these instructions help at all? This is the way AWS recommends setting up such sites. LightSail can be used for other purposes but if this matches your situation it should help:

4 Likes
9

Note the path is different; a more knowledgeable Let's Encrypt community can explain how this happens.

But from the point of view of the web server (I believe that is nginx) it seems to be using the second path the one without -0001 in it.

2 Likes
10

Please show the output of this command sudo nginx -T.

1 Like
11

correct nginx is using one without 0001. below is part of nginx config section.

ssl_certificate /etc/letsencrypt/live/innpro.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/innpro.in/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

12

Thus that path tells you which certificate is going to be served.

2 Likes
13

You got a cert name and path for -0001 because you requested similar cert but not an identical one. Note the different list of names in the two certs. To continue with your manual method be sure to issue the identical command as your original.

2 Likes
14

Can you help on command to renew both innpro.in and *.innpro.in domain certificate?
I ran *sudo certbot renew --manual --preferred-challenges dns -d innpro.in -d .innpro.in
Which didn't work

15

I already explained why that does not work. With --manual option you should re-issue your original command. Probably like:

sudo certbot certonly --manual --preferred-challenges dns -d innpro.in -d "*.innpro.in"
3 Likes
16

I ran below command now which failed. not sure What I order last time I used.
sudo certbot renew --manual --preferred-challenges dns -d innpro.in -d *.innpro.in

17

Cannot use certbot renew for a cert you originally got with --manual option.

Please read my post just prior to your latest

3 Likes
18

does the order of domains matter?
-d innpro.in -d ".innpro.in"

19

No, and should probably be as I provided earlier

sudo certbot certonly --manual --preferred-challenges dns -d innpro.in -d "*.innpro.in"
3 Likes
20

above command asking add TXT record in the DNS. Do I need to add TXT record?

[ec2-user@ip-172-26-4-22 ~]$ sudo certbot certonly --manual --preferred-challenges dns -d innpro.in -d "*.innpro.in"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for innpro.in and *.innpro.in

Please deploy a DNS TXT record under the name:

_acme-challenge.innpro.in.

with the following value:

LzMWaE_qJg6uFvremoved*ACwVpo1rYM9X5rJYo

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: Dig (DNS lookup).
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

Press Enter to Continue

21

It looks like you followed those instructions as I see a fresh cert with both names in it: crt.sh | 16309326177

What about the instructions were not clear to you?

3 Likes