Renewal Failed. Require authentication method and manual fails

tziady · January 20, 2020, 5:27am

Trying to renew my *.in-design.com domain.

My domain is: *.in-design.com

I ran this command: cerbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/in-design.com.conf

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (in-design.com) from /etc/letsencrypt/renewal/in-design.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/in-design.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/in-design.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.6

The operating system my web server runs on is (include version): CentOS 7.7.1908

My hosting provider, if applicable, is: Google Cloud VM

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot --version
certbot 1.0.0

Any help would be greatly appreciated. It appears that many other posts specific to this issue; however, being so new I am unable to get any of the suggestions to produce positive results.

I believe I have to use DNS only authentication or verification and have tried using

certbot renew --preferred-challenges dns

without any luck.

Thanks,
Tamer

rg305 · January 20, 2020, 5:36am

You can’t automatically renew certs that were created with --manual

Do you recall how your current cert was issued?

In the meantime, can we have a look at this file?:
/etc/letsencrypt/renewal/in-design.com.conf

tziady · January 24, 2020, 6:10pm

renew_before_expiry = 30 days

version = 0.39.0
archive_dir = /etc/letsencrypt/archive/in-design.com
cert = /etc/letsencrypt/live/in-design.com/cert.pem
privkey = /etc/letsencrypt/live/in-design.com/privkey.pem
chain = /etc/letsencrypt/live/in-design.com/chain.pem
fullchain = /etc/letsencrypt/live/in-design.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

Removed account since I am fairly sure that is correct and likely security issue if shared?

tziady · January 24, 2020, 6:11pm

It was likely created with --manual so, do I have to do renew --manual?

Or just get a brand new cert?

Thanks,
Tamer

rg305 · January 24, 2020, 6:24pm

Yes, it was created with manual, which means unattended renewals will try using manual and fail.
You can override the saved settings in the command line request.
Once the cert is successfully renewed/issued, it will update the saved renewal method.

tziady · January 25, 2020, 5:21am

So, because of time constraints and waiting till the last minute. I had to resort to basically requesting a brand new certificate.

My issues for the future (90 days from now) will be the following:

I cannot use http verification as port 80 is closed on this environment and I really don’t want to open it. I understand all the issues with trying and verifying on SSL port because of hosted environments and such so, I just have to grin and bare it.
I am getting a wildcard certificate. Not a single host.
Obviously, again, I used the manual method to get a new certificate issued which is up and working right now

What to do in the future. Is there anyway to interactively renew in the future? I am fine with manually doing it; however, it does not seem to be possible? Do I just continue doing the same thing as i did today. I mean it takes only a few minutes to just manually request a brand new certificate; however, I am sure that is not intended way of use and not sure if it may have any harmful side effects to constantly be getting a brand new certificate?

Can anyone suggest any options?

Thanks again for everyone’s help.

Tamer

rg305 · January 25, 2020, 5:47am

If port 80 is NOT an option (and you don’t want to manually renew), you could switch to an acme client that supports ALPN validations or DNS validations via automated plugin.

tziady · January 25, 2020, 11:11am

Thank you. I will look into those options. Can you give me a suggestion for such other clients? CentOS flavor? Or is it impolite to ask on Certbot forums.

But so far things are working great. The manual update doesn’t take that long at this time. It would be great to figure out the automated method so I can set it and forget it.

Cheers,
Tamer

JuergenAuer · January 25, 2020, 11:36am

Hi @tziady

checking your domain you use GoDaddy - https://check-your-website.server-daten.de/?q=in-design.com

|in-design.com|• ns77.domaincontrol.com / p23|97.74.108.49

Scottsdale/Arizona/United States (US) - GoDaddy.com, LLC	•
	•
Scottsdale/Arizona/United States (US) - GoDaddy.com	•

So check acme.sh - there

is a GoDaddy integration.

And read

tziady · January 25, 2020, 1:13pm

The domain is at Godaddy; but the environment is not. It is a VM on a cloud provider. Only Godaddy is the registrar and nothing else.

Thanks for the info. Hopefully, this will work. Have not used Godaddy API before and hope it allows easy external access.

Will try out and update.

Again, thank you very much for all the help with this issue.

Great community.

Cheers,
Tamer

tziady · January 25, 2020, 1:30pm

I am starting to use this acme script. The only huge issue is that I want it to be a wildcard cert *.in-design.com

Not sure it is functioning as expected. Will test. But this is a great script.

Thanks for the info.

I guess this would then replace completely Certbot?

Thanks,
Tamer

JuergenAuer · January 25, 2020, 2:52pm

That’s not a problem. If you want to create a wildcard certificate, you must use dns validation. So you have to use --manual - or your dns provider has an API and you have a client that supports that API.

acme.sh supports a lot of different APIs.

Yes. Every client listed

replaces Certbot.

tziady · January 25, 2020, 4:46pm

Thank you very much. I have used it in combination with the --DNS -DNG

Godaddy API which appears to be working great.

This time, I just did a cert for each host and will fine tune to do all hosts in the near future. But it seams like it will be a trivial change to just do *.in-design.com instead of -d host1.in-design.com -d host2.in-design.com … which is working at this time.

Again, thank you and everyone on this thread for your input and help.

Cheers,
Tamer

system · February 24, 2020, 4:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.