Renewal Failed. Require authentication method and manual fails

Trying to renew my * domain.

My domain is: *

I ran this command: cerbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.6

The operating system my web server runs on is (include version): CentOS 7.7.1908

My hosting provider, if applicable, is: Google Cloud VM

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot --version
certbot 1.0.0

Any help would be greatly appreciated. It appears that many other posts specific to this issue; however, being so new I am unable to get any of the suggestions to produce positive results.

I believe I have to use DNS only authentication or verification and have tried using

certbot renew --preferred-challenges dns

without any luck.


1 Like

You can’t automatically renew certs that were created with --manual

Do you recall how your current cert was issued?

In the meantime, can we have a look at this file?:

1 Like

renew_before_expiry = 30 days

version = 0.39.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

authenticator = manual
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
manual_public_ip_logging_ok = True
server =

Removed account since I am fairly sure that is correct and likely security issue if shared?

1 Like

It was likely created with --manual so, do I have to do renew --manual?

Or just get a brand new cert?


1 Like

Yes, it was created with manual, which means unattended renewals will try using manual and fail.
You can override the saved settings in the command line request.
Once the cert is successfully renewed/issued, it will update the saved renewal method.


So, because of time constraints and waiting till the last minute. I had to resort to basically requesting a brand new certificate.

My issues for the future (90 days from now) will be the following:

  1. I cannot use http verification as port 80 is closed on this environment and I really don’t want to open it. I understand all the issues with trying and verifying on SSL port because of hosted environments and such so, I just have to grin and bare it.

  2. I am getting a wildcard certificate. Not a single host.

  3. Obviously, again, I used the manual method to get a new certificate issued which is up and working right now

What to do in the future. Is there anyway to interactively renew in the future? I am fine with manually doing it; however, it does not seem to be possible? Do I just continue doing the same thing as i did today. I mean it takes only a few minutes to just manually request a brand new certificate; however, I am sure that is not intended way of use and not sure if it may have any harmful side effects to constantly be getting a brand new certificate?

Can anyone suggest any options?

Thanks again for everyone’s help.


If port 80 is NOT an option (and you don’t want to manually renew), you could switch to an acme client that supports ALPN validations or DNS validations via automated plugin.

1 Like

Thank you. I will look into those options. Can you give me a suggestion for such other clients? CentOS flavor? Or is it impolite to ask on Certbot forums.

But so far things are working great. The manual update doesn’t take that long at this time. It would be great to figure out the automated method so I can set it and forget it.


Hi @tziady

checking your domain you use GoDaddy -

||• / p23|

Scottsdale/Arizona/United States (US) -, LLC
Scottsdale/Arizona/United States (US) -

So check - there

is a GoDaddy integration.

And read

The domain is at Godaddy; but the environment is not. It is a VM on a cloud provider. Only Godaddy is the registrar and nothing else.

Thanks for the info. Hopefully, this will work. Have not used Godaddy API before and hope it allows easy external access.

Will try out and update.

Again, thank you very much for all the help with this issue.

Great community.


I am starting to use this acme script. The only huge issue is that I want it to be a wildcard cert *

Not sure it is functioning as expected. Will test. But this is a great script.

Thanks for the info.

I guess this would then replace completely Certbot?


That’s not a problem. If you want to create a wildcard certificate, you must use dns validation. So you have to use --manual - or your dns provider has an API and you have a client that supports that API. supports a lot of different APIs.

Yes. Every client listed

replaces Certbot.


Thank you very much. I have used it in combination with the --DNS -DNG

Godaddy API which appears to be working great.

This time, I just did a cert for each host and will fine tune to do all hosts in the near future. But it seams like it will be a trivial change to just do * instead of -d -d … which is working at this time.

Again, thank you and everyone on this thread for your input and help.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.