Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output:
2017-11-23 21:12:37,572:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/smtp.estudioines.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘Running manual mode non-interactively is not support ed’,). Skipping.
My web server is (include version):
The operating system my web server runs on is (include version): Debian
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
I’m using only form mail server in debian wth postfix and davecon
It seems that your certificate was obtained using --manual = which is not supported in a non-interactive script.
Try running: certbot renew --manual
and walk through the steps.
If that works, take note of the choices you made; as there may be a way to update the certbot system to make those same choices non-interactively.
2017-11-25 10:07:56,331:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/smtp.mydomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘Running manual mode non-interactively is not supported’,). Skipping.
The following certs are not due for renewal yet:
All renewal attempts failed. The following certs could not be renewed:
1 renew failure(s), 0 parse failure(s)
Yes, but at that moment the mail server stopped working and we had to go back to the configuration. now the devices are connected and the message that the certificate expired goes out.
What solution do you propose?
Thank you for your attention. Our situation is this way: the email serivodr was mounted by a co-worker, he has had an accident and is not working at this time. We tried to renew the certificate in several ways, on November 15 apparently the certificate was renewed with the command certbot choosing our domain and then apache (other options did not work) at that time the mail server stopped working, the other devices (microsoft outlook) gave the error: can not authenticate on the server …
We did not want to keep trying, even though the certificate is expired, the mails are still received and sent.
We await your help and thanks for the one already provided.
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert. Major SUBCOMMANDS are:
(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
register Perform tasks related to registering with the CA
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
certbot: error: unrecognized arguments: certificates
That's pretty bad. The problem here is that one cannot know if the mailserver uses the certificates directly or if they get copied to another destination, maybe even into another format. So even if you could renew them with certbot, they may stay unchanged from the mailservers point of view.
Okay, but could we try different ways of doing the procedure? and if something goes wrong, we have a backup so we can go back. I think that the certificates are on the same server, they are copied there. We are talking about .pem files? I can see where you tell me.
What version of certbot are you using? You may need to update it in order to use the certbot certificates command. Updating it via apt-get should do the trick - the certbot certificates subcommand was added in 0.10.0 and the latest version in jessie-backports and stretch is 0.10.2.
If that works, you can use certbot certificates to get a list of the certificates currently on your server. This should help you to determine if you have one that’s currently valid for the domain name you want.
If you do, ensure your mail server configuration references the correct certificate, and reload the mail server. If you need help with that, please share your existing mail server configuration.
If you can’t find a valid certificate and still need to renew, note that the “manual” plugin that your co-worker apparently used originally is not compatible with the certbot renew command (at least not without some extra configuration and scripting). However you can force it to go through the manual process again by running certbot certonly --manual and selecting/entering the same set of domains that are on the cert that needs to be renewed.
Alternatively, you might try a different plugin; since you seem to have Apache on this server you could try: certbot certonly --apache (the certonly here prevents certbot from trying to install the certificate in Apache, which you don’t want if it’s only for the mail server, but you can still use Apache to obtain the certificate). An advantage of this approach is that unlike --manual, the --apache plugin does work with the certbot renew command so if you get that working, you’ll be able to renew the certificate automatically in the future.
You can also automate the step of reloading the mail server by using the --renew-hook option (later versions of certbot use --deploy-hook which is almost the same but better)
If you’re using certbot 0.10.0 or later, this will be remembered and run automatically on renewal so you don’t even have to reload the mail server manually. If you’re using an older version, you’ll have to add that option to the cron job instead (but I really do recommend upgrading if at all possible).