Renew --manual question


#1

General question here:

I used certbot manual DNS validation, but when I run sudo certbot renew --dry-run it fails and gives an error since it is the manual plugin.

I am wondering if certbot should disable the attempt at automatic renewals if someone uses --manual.


#2

Usually one would include manual auth hook script to perform the manual actions. Otherwise, you’re correct, the use of --manual for automated renewals is destined for failure. Certbot actually does prevent these attempts, hence the error you’re getting, as it realizes that there is nobody to take the manual steps required.


#3

I normally would also like to set it up to autorenew, but I’ve been having a really tough time with it. I’m not sure if it’s because I’m relatively new to LetsEncrypt stuff or not.

I’m using AWS and configured a security group, so the site is not publicly accessible. Because of this, I decided to use --manual for DNS validation. However, I see from lots of Google searching that the --dns-route53 plugin is not actually included with cerbot, and trying to install it led me down various rabbit holes (e.g. pip vs. Docker). So I pretty much gave up on renewals for now until there is some more streamlined way for Route53.

Is --manual-auth-hook pretty much just a custom config that would do the same thing as the --dns-route53 plugin would?


#4

You might be better off using a different client. acme.sh, for example, supports Route53 natively.


#5

I was looking at third party clients, but I’m a little apprehensive using third party scripts for things like that. I am fine with doing it manually until the official --dns-route53 plugin starts working.


#6

Hi @arisbanach

Official Route 53 from certbot is here already…

Thank you


#7

Yeah, the source code is. But a rather “normal” way of installing it isn’t.

The “Setup” part from the README is rather… Well… Useless for regular users.
“Create a virtual environment”? Say what? How? Why? How again?
“Make sure you have libssl-dev and libffi (or your regional equivalents) installed. You might have to set compiler flags (…)” Whuuuuhhhh OK, the h*ll with this s…, I’m gonna do something else…


#8

That is exactly what I experienced.

I was expecting to just add --dns-route53 and pass it whatever AWS tokens I need for the IAM user I created, but I gave up trying to figure it out.

I honestly thought maybe someone just added the wrong information to the README it was that useless.


#9

Well, I guess github is meant for developers, so it isn’t that strange the README page isn’t written in a manner so non-developers would understand.

I hope the DNS plugins will be included in the certbot package(s) some day soon.


#10

First off, I’d advise that “third-party” in this sense is a bit of a misnomer, since even EFF’s Certbot could be technically considered “third-party”. The acme.sh client you were recommended is indeed significantly more effective with DNS authorizations, as there are far more integrations included natively.

For that question, not quite. You’d need to provide an argument to that flag specifying a command (or, more commonly, a shell script) that will perform the necessary steps for the validation. See the Hooks section of the Certbot manual for more info on how to use this flag.


#11

I am a developer. There are many developers from many different backgrounds using many different technologies and terminologies. I’ve read a lot of READMEs over the years and this GitHub page is one of the worst.


#12

What OS are you using? On some of them, it’s already easy to install the dns-route53 plugin.


#13

I’m using Ubuntu, but I don’t see any way to easily do that


#14

Which version of Ubuntu? You can just apt install python3-certbot-dns-route53 on 18.04.

You can do the same thing if you’re using the PPA, but the PPA Route 53 package is very new and I’m not certain if it’s recommended yet.

You can also use Docker.


#15

I’ll try that when I get the chance. Is that package name in the documentation somewhere?


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.