Hello,

PS .. sorry I post this, as I was not really able to search for this....

I have several domain with Let's Encrypt, the website (Apache) domains works fine with renewal. But I also have a non Apache domain and was successful registering it etc. So I thought I'm done. Now I get a warning that domain is almost expired.

The cron job for the renewal is running, certbot:
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Just to be sure I also tried manually with this command:
certbot renew --manual

Both give this error message:

Processing /etc/letsencrypt/renewal/some-domain.conf

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (some-domain) from /etc/letsencrypt/renewal/some-domain.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/some-domain/fullchain.pem (failure)

I also check the /etc/letsencrypt/renewal/some-domain.conf

renew_before_expiry = 30 days

version = 0.40.0
archive_dir = /etc/letsencrypt/archive/some-domain
cert = /etc/letsencrypt/live/some-domain/cert.pem
privkey = /etc/letsencrypt/live/some-domain/privkey.pem
chain = /etc/letsencrypt/live/some-domain/chain.pem
fullchain = /etc/letsencrypt/live/some-domain/fullchain.pem

Options used in the renewal process

[renewalparams]
account = (some account string)
pref_challs = dns-01,
authenticator = manual
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

I notice for all other domains I have the option "authenticator = apache" as they are running Apache.
However the above domain has "pref_challs = dns-01", which is correct and also has an DNS entry, and the option "authenticator = manual".
This entry should be correct as I was able to register the first time.

So what do I need to do to get it working? It's not clear to me.
Or do I need 2 cron-jobs with different parameters? I hope not....

Thanks, any help is appreciated.
Matthijs

Hi @matthys70, and welcome to the LE community forum

There is no way to automate the renewal of domains that were obtained using manual authentication.

So .. what would be the procedure for a non Apache domain which I want to use the automatic renewal and challenges by DNS?

I checked how I obtain the certificate and that was via this command:
certbot certonly --manual -d some-domain --preferred-challenges dns

However at the end it says, which confuses me:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/some-domain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/some-domain/privkey.pem
Your cert will expire on 2022-09-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"

I'll let rg305 continue with advice but I will just point out:

You can get another cert using manual by re-running it and entering the needed command manually. But, there is no way to enter the new challenge data manually when certbot runs in the background in cron (or timer). See:
https://eff-certbot.readthedocs.io/en/stable/using.html#manual

You could try using a DNS plug-in, the standalone option, or build the manual auth hook described depending on your needs.

Okay, played around with DNS and the Gandi API plugin and now I got this in the /etc/letsencrypt/renewal/some-domain.conf:

Options used in the renewal process

[renewalparams]
account = (some account string)
pref_challs = dns-01,
authenticator = certbot-plugin-gandi:dns
server = https://acme-v02.api.letsencrypt.org/directory
certbot_plugin_gandi:dns_credentials = /etc/letsencrypt/gandi.ini

The only thing is it complains about unsafe permissions:
Unsafe permissions on credentials configuration file: /etc/letsencrypt/gandi.ini

Not sure what to do about that ....

Thanks for the help so far

Ok, so does this work now?

certbot renew --cert-name some-domain --dry-run

--dry-run uses test system and enforces a check of your domain name control

Seems to work:

certbot renew --cert-name some-domain --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/some-domain.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator certbot-plugin-gandi:dns, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for some-domain
Unsafe permissions on credentials configuration file: /etc/letsencrypt/gandi.ini
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/some-domain/fullchain.pem

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/some-domain/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

Good. So it will renew along with your others when the cron in your first post does the renew without using a specific --cert-name

You may need to reload / restart any service that uses that cert to pickup the fresh one. You can use the certbot deploy-hook feature or just schedule one yourself if/as needed.

Thanks everyone ... and indeed I just added the renew_hook in the config file.

Matthijs

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.