Renewing a manually-issued (DNS challenge) certificate fails


#1

I’m trying to renew a certificate for domain smtp.radiom.fr.
It’s been issued with the following command:

/usr/bin/certbot certonly --manual --preferred-challenges dns -d smtp.radiom.fr

… because I can’t have a webroot on this host.

I have a Cron job that tries to renew all the certificates I issued with:

/usr/bin/certbot renew --rsa-key-size 4096

… but it fails with the following error:


Processing /etc/letsencrypt/renewal/smtp.radiom.fr.conf

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert from /etc/letsencrypt/renewal/smtp.radiom.fr.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.

My /etc/letsencrypt/renewal/smtp.radiom.fr.conf contains:

# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/smtp.radiom.fr/cert.pem
privkey = /etc/letsencrypt/live/smtp.radiom.fr/privkey.pem
chain = /etc/letsencrypt/live/smtp.radiom.fr/chain.pem
fullchain = /etc/letsencrypt/live/smtp.radiom.fr/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = manual
installer = None
account = f94e3173b6dc085a046749d3bac1863c
manual_public_ip_logging_ok = True

I’m not sure where my problem is. If I was to manually renew this certificate because of the DNS challenge, that would be okay for me.
Thank you for your hints.


#2

“renew” will not work for a “manually” obtained certificate - as it can’t automatically do it. You would need to manually obtain a new certificate every 2-3 months.

Alternatively use an API to your DNS and automate the process.


#3

Thank you.
If I’m correct, certbot does not support DNS API, I’ll have to use another tool.


#4

Certbot does now support using a DNS API (it didn’t until about a month ago). So you can use eutehr certbot, or one of the alternate clients, whichever works best for you.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.