Renewing certificates for an internal server


#1

I have created a certificate for an internal server on my network by running the following command:
sudo certbot certonly --manual -d internal-server.example.com

I temporarily created an A Record for my domain that allowed the authorization to work and the certificate was issued. I deleted the temporary A record, and the certificate works great… Until I try to renew…

When I try to renew i get an error that the manual plugin does not support non-interactive mode. Based on my understanding (from https://letsencrypt.org/how-it-works/), the domain validation only should only be required the first time around, so why would I need to run it interactively? Or am I misunderstanding the CSR signing process and domain validation? Is there anyway to automate this so I don’t have to make this server public facing everytime I want to renew the certificate?

Any guidance would be appreciated.

Thanks!

I ran this command: sudo certbot renew --force-renewal

It produced this output:
2016-10-31 11:15:54,766:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/internal-server.example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘Running manual mode non-interactively is not supported’,). Skipping.

My operating system is (include version): CentOS 7

My web server is (include version): Apache 2.4.6

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

The “renew” option doesn’t work for certificates obtained up using the “–manual” method.

You would need to redo it as before with the “sudo certbot certonly --manual -d internal-server.example.com” command.

Does your DNS have an API that you can automatically add a token ? if so then the dns-01 challenge may be better for you ( that way you don’t need to have an a record or anything)


#3

Thanks. It looks like there is an API for my DNS and I have requested activating it which will take 2 business days.

Since dns-01 support looks like it’s relatively new for certbot, is there any documentation on it? As far as I can tell it looks like it’s only supported in manual mode, and requires running it interactively.

I think the dehydrated client may work better in my case since I can hook into the challenge process and use one of the predefined hook scripts for my domain API. (https://github.com/lukas2511/dehydrated/wiki/Examples-for-DNS-01-hooks)

Thanks
Brian


#4

Yes, you can use any of the bash / go alternate clients - they all support the dns-01 challenge


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.