I am trying to renew my domain(s) for the first time today. They were initially set up with the manual switch and I am using DNS for the challenge. Could that be the issue here? Here are the requested details.
Please fill out the fields below so we can help you better.
Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert from /etc/letsencrypt/renewal/immutablesecurity.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
My web server is (include version):
Server version: Apache/2.4.6 (CentOS)
The operating system my web server runs on is (include version):
CentOS Linux release 7.3.1611 (Core)
My hosting provider, if applicable, is:
Self-hosted
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
These threads explain that certbot renew is designed not to accept any human interaction, including waiting for a confirmation that required tasks have been completed. Therefore, if your certificate issuance workflow requires such a confirmation, certbot renew can’t support it. You can instead renew by running the same command that you originally used to obtain the certificate again.
Alternatively, if you have a shell script that can perform the DNS update programmatically (and immediately) using a DNS provider API, so that no delay or human interaction is required, you can refer to that script with the --manual-auth-hook option and then the restriction on certbot renew will be eliminated.
Thanks, schoen. I did see some bugs logged that talked about the interactive issue, but they ultimately had different problems than I did. I will renew using the same command as when they were issued. I didn’t realize that I could renew that way. Does it keep the same private key?
Currently, Certbot doesn’t keep the same private key, but always generates a new one (regardless of whether you renew via certbot renew or certbot certonly or certbot run).
A somewhat inconvenient workaround for this is to generate a certificate signing request (CSR) using openssl that requests the particular names that you want and specifies the private key that you want to use, and then specifying that CSR file via --csr. Unfortunately, this will save the resulting certificates in the current directory, which doesn’t work well with either persistently installing them in a server application of some sort, or with Certbot’s renewal features.
I am working on adding a more convenient option to reuse private keys in Certbot
but I unfortunately haven’t made progress on this project recently.