Renew when create manually

Hello,

I couple of weeks ago I created a new server. I added a certificate by using the following command:

certbot --manual --preferred-challenges dns certonly -d <fqdn>

After I added the _acme-challenge DNS TXT entry I was able to receive the certificate. Unfortunately I when I added a cron job for renew the certificate I receive the follwing error message:

#  /usr/bin/certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<fqdn>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (<fqdn>) from /etc/letsencrypt/renewal/<fqdn>.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/<fqdn>/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/<fqdn>/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

I already read through multiple articles and I understand that the issue is because of the fact that I created the certificate manually but I want to automatic renew the certificate. Unfortunately I didn't find the right article that describes the best way to autorenew the certificate using the _acme-challenge DNS TXT method without the need to manually create the DNS entry manually for every renew. Does anyone know the best way or does anyone know a googl documentation how to do it.

BR

To automate the renewal while using the dns-01 challenge, you should also automate the adding (and removing) of the TXT record through DNS. So it really depends on how you could be able to do that.

Certbot has a few DNS plugins for that (User Guide โ€” Certbot 1.19.0.dev0 documentation) and there are also some third party DNS plugins available out there (User Guide โ€” Certbot 1.19.0.dev0 documentation).

If there isn't a certbot plugin available for your DNS provider, you might have more luck using one of the many DNS plugins of the ACME client acme.sh (acme.sh/dnsapi at master ยท acmesh-official/acme.sh ยท GitHub). You could use acme.sh directly, although it wouldn't be so hard to modify such a script for usage with certbot.

If your DNS provider isn't available in the options I've mentioned above but does provide an API, you could write your own scripts for adding and removing the TXT record(s). That script would be used with the --manual-auth-hook and --manual-cleanup-hook, respectively (User Guide โ€” Certbot 1.19.0.dev0 documentation). (Those options would also be used if you'd modify an acme.sh DNS plugin script mentioned earlier by the way.)

Also, do you actually require the use of the dns-01 challenge? I.e., are you using a wildcard certificate? Or is port 80 blocked?

1 Like

Hello,

I didn't understand everything you write because my experience with certbot is really limited but the answer for the questions are:

  • I use domaindiscount24 as provider.
  • I don't need to fetch a wildcard certificate and I would like to avoid using port 80 method because the webserver is allready using the port.

Do they provide an API to automate adding and removing things?

Then you probably don't need the dns-01 challenge!

That's OK, certbot can most likely work with that webserver. But to determine that, we'll need some more info. Can you please answer the questionnaire which should have been provided to you when you first opened this thread in the #help section?


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.