Renewing certs when --manual dns certonly was used ("The manual plugin is not working")


#1

Please fill out the fields below so we can help you better.

My domain is:
reportdev.guardiandigital.com
I ran this command:
certbot renew
It produced this output:
Processing /etc/letsencrypt/renewal/gdstage.guardiandigital.com.conf

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert from /etc/letsencrypt/renewal/gdstage.guardiandigital.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.

My operating system is (include version):
fedora25
My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

This cert (and a few others) were created using:
certbot -d gdstage.guardiandigital.com --manual --preferred-challenges dns certonly

I don’t see authenticator.sh or cleanup.sh on my system


#2

I’ve learned that renewing certs which were created with manual mode isn’t supported. Certs must be recreated every time. It initially didn’t return a previous result when I searched.

Is there a way to at least extend the renewal period so I don’t have to sync new certs to the various servers every 70 days? Not every server has a webserver running, or at least not for the domain for which the certs are created, so renewing them in the automated way isn’t always possible.


#3

Do you control the DNS zone for this domain? You can get certificates without a webserver using the DNS-01 challenge. This can’t yet be automated for most DNS providers with Certbot, but it can be with acme.sh, as well as some other clients.


#4

Yes, we do control the DNS for the domain, and that’s how the certs were created in the first place. Now, if only we could continue to use the same challenge across renewals, perhaps that would make the process at least a little easier…

Will there ever be automated renewal support for manual mode?


#5

No, but the DNS challenge support for Certbot may eventually be moved out of manual mode.

You can currently do automated renewals with manual mode if you write your own authentication scripts (that perform the DNS updates).


#6

Essentially, acme.sh already comes with the equivalent of the authentication scripts for many DNS providers.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.