Renew certificate for mail

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot renew

It produced this output:
2017-11-23 21:12:37,572:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘Running manual mode non-interactively is not support ed’,). Skipping.

My web server is (include version):

The operating system my web server runs on is (include version): Debian

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I’m using only form mail server in debian wth postfix and davecon

It seems that your certificate was obtained using --manual = which is not supported in a non-interactive script.
Try running:
certbot renew --manual
and walk through the steps.
If that works, take note of the choices you made; as there may be a way to update the certbot system to make those same choices non-interactively.

certbot renew --manual

Processing /etc/letsencrypt/renewal/

Processing /etc/letsencrypt/renewal/

Processing /etc/letsencrypt/renewal/

Processing /etc/letsencrypt/renewal/

2017-11-25 10:07:56,331:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘Running manual mode non-interactively is not supported’,). Skipping.

The following certs are not due for renewal yet:
/etc/letsencrypt/live/ (skipped)
/etc/letsencrypt/live/ (skipped)
/etc/letsencrypt/live/ (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)
1 renew failure(s), 0 parse failure(s)

There were 2 successful issuances for SMTP 10 days ago:

Yes, but at that moment the mail server stopped working and we had to go back to the configuration. now the devices are connected and the message that the certificate expired goes out.
What solution do you propose?

Renew the cert as you did a few days ago.

Thank you for your attention. Our situation is this way: the email serivodr was mounted by a co-worker, he has had an accident and is not working at this time. We tried to renew the certificate in several ways, on November 15 apparently the certificate was renewed with the command certbot choosing our domain and then apache (other options did not work) at that time the mail server stopped working, the other devices (microsoft outlook) gave the error: can not authenticate on the server …
We did not want to keep trying, even though the certificate is expired, the mails are still received and sent.
We await your help and thanks for the one already provided.

Would someone be so kind to help me?

Do you know how to configure this mail server? There must be a path to the certificate in the configuration file(s), which is it? Whats the output of the command certbot certificates?

Hi, thanks:

root@mail:/home/panda# certbot certificates
certbot [SUBCOMMAND] [options] [-d domain] [-d domain] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert. Major SUBCOMMANDS are:

(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
register Perform tasks related to registering with the CA
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
certbot: error: unrecognized arguments: certificates

Well, this is not useful, but it's not your fault. What about my other question about the mail server?

I do not know how to configure the mail server, but the server is working, only the message that the certificate has expired

That's pretty bad. The problem here is that one cannot know if the mailserver uses the certificates directly or if they get copied to another destination, maybe even into another format. So even if you could renew them with certbot, they may stay unchanged from the mailservers point of view.

Okay, but could we try different ways of doing the procedure? and if something goes wrong, we have a backup so we can go back. I think that the certificates are on the same server, they are copied there. We are talking about .pem files? I can see where you tell me.

cat /etc/letsencrypt/renewal/

renew_before_expiry = 30 days

version = 0.8.1
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

authenticator = manual
installer = None
account = de891662f94f233d895114d6301497cc

What version of certbot are you using? You may need to update it in order to use the certbot certificates command. Updating it via apt-get should do the trick - the certbot certificates subcommand was added in 0.10.0 and the latest version in jessie-backports and stretch is 0.10.2.

If that works, you can use certbot certificates to get a list of the certificates currently on your server. This should help you to determine if you have one that’s currently valid for the domain name you want.

If you do, ensure your mail server configuration references the correct certificate, and reload the mail server. If you need help with that, please share your existing mail server configuration.

If you can’t find a valid certificate and still need to renew, note that the “manual” plugin that your co-worker apparently used originally is not compatible with the certbot renew command (at least not without some extra configuration and scripting). However you can force it to go through the manual process again by running certbot certonly --manual and selecting/entering the same set of domains that are on the cert that needs to be renewed.

Alternatively, you might try a different plugin; since you seem to have Apache on this server you could try: certbot certonly --apache (the certonly here prevents certbot from trying to install the certificate in Apache, which you don’t want if it’s only for the mail server, but you can still use Apache to obtain the certificate). An advantage of this approach is that unlike --manual, the --apache plugin does work with the certbot renew command so if you get that working, you’ll be able to renew the certificate automatically in the future.

You can also automate the step of reloading the mail server by using the --renew-hook option (later versions of certbot use --deploy-hook which is almost the same but better)

For example:

sudo certbot certonly --apache -d --renew-hook "service postfix reload"

If you’re using certbot 0.10.0 or later, this will be remembered and run automatically on renewal so you don’t even have to reload the mail server manually. If you’re using an older version, you’ll have to add that option to the cron job instead (but I really do recommend upgrading if at all possible).

1 Like

After debian update and certbot re install:

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/ is unknown

Found the following certs:
Certificate Name:
Expiry Date: 2018-02-22 00:00:51+00:00 (VALID: 83 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Expiry Date: 2018-02-22 00:09:00+00:00 (VALID: 83 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Expiry Date: 2018-02-22 15:03:38+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Expiry Date: 2017-11-12 16:16:00+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

Okay, so you only have one cert for on that server, and it’s expired. So you’ll need to get a new one. Try running

certbot certonly --apache -d


certbot certonly --manual -d

Hopefully one of those will get you a valid certificate. Then you might try reloading your mail server; if that doesn’t fix the problem, post the mail server configuration here.

ok, I ran certbot certonly --manual -d, and the cert (I believe) was renew, restart the mail server, but in microsoft outlook says “Security certificate cannot be verified”

Hmm, that’s odd. Your server does seem to be using the renewed certificate now.

Does Outlook provide any more detail in that error message?