Renewal error due to manual plugin


#1

Hi all,

my domain is : vitalbase.fr

I’m working on a RHEL 6.5 server.
My web server is : Nginx 1.10.3
Certbot-auto installed by wget https://dl.eff.org/certbot-auto
Then certbot 0.24.0 installed.

To generate my first certificate, i’ve used this command :
$ sudo /opt/eff.org/certbot/venv/bin/certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual -d '*.vitalbase.fr’

I would like to use a wildcart certificate for this domain.

During certificate generation, i’ve declared my “_acme-challenge.vitalbase.fr” entry in my associated DNS.

Then on my nginx config, i’ve defined a server block with :

ssl on;
ssl_certificate /etc/letsencrypt/live/vitalbase.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vitalbase.fr/privkey.pem;

Then a “sudo service nginx restart” command and … it works.

Certificate is available for my domain.

My problem is on the renewal process.
I’ve scheduled a cron job with “/opt/certbot/certbot-auto renew” but error occurs :

Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (vitalbase.fr) from /etc/letsencrypt/renewal/vitalbase.fr.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vitalbase.fr/fullchain.pem (failure)

Problem seems occurs because of my “manual” mode during first generation. Correct ?
My DNS provider does not provide API to update DNS entries.
Is DNS validation the only way to validate a wildcard renewal ?

Best regards

Chris


#2

Yes. :slightly_frowning_face:certbot renew” is designed to be run non-interactively, like with cron, so it can’t renew certificates that require manual human interaction.

(You have to set different TXT record value every time you renew the certificate.)

Yes. :slightly_frowning_face:

If you have a VPS or dedicated server, how about running acme-dns and the acme-dns Certbot hook? That would allow everything to be fully automated.


#3

Many thanks Mnordhoff for your answers ! I’ll have a look on this acme-dns :slight_smile:

Best regards

Chris


#4

Has there ever been a feature or suggestion for something like a --allow-interactive flag that you know of?


#5

This distinction is fairly deep in Certbot’s architecture. You can renew --manual certificates by re-running the certonly command, though.


#6

I guess we could add something like a manual-renew command that runs only interactively and isn’t meant to run from cron. But I’m worried that users might be confused about when to use it.


#7

Therefore my suggestion would be to only implement it as an opt-in flag, i.e., disabled by default. Only when explicitly added, users would be able to just run a simple renew command wíth being able to renew with some manual steps, but not having to decipher the whole command line options from 90 days ago.

Not everyone can renew automatically, saying “just run the whoooole command again, figure it all out again, yes it’s troublesome, but your problem, not ours” is not very user friendly. Not everyone knows which command they ran. Not everyone can dig into the renewal configuration.


#8

This is a good point, thanks. I’ll also add that we really want to discourage people from using --manual, but we haven’t necessarily done a good job of pointing out that there’s anything wrong with it. We even have a number of users who haven’t realized that the authentication steps will need to be repeated later, or in some cases even that certificates expire.


#9

Discouraging I can totally understand. But the manual plugin is available, officially. If you don’t want people to use it, remove it from certbot. If you don’t want to remove it, it should be implemented in a way people can actually use it properly.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.