Simplifying Renewals by Using DNS Based Challenges

My domain is: www.kostons.net

I ran this command: certbot renew --dry-run

It produced this output:
root@server1:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/kostons.net.conf

Attempting to parse the version 0.19.0 renewal configuration file found at /etc/letsencrypt/renewal/kostons.net.conf with version 0.10.2 of Certbot. This might not work.
Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert from /etc/letsencrypt/renewal/kostons.net.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/kostons.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.10 (Debian)

The operating system my web server runs on is (include version):
Debian Jessie
My hosting provider, if applicable, is: Self hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I’m using LE now for some time but every 3 months i have problems to auto renew my certificate. 3 months ago i installed certbot-auto and a brand new certificate but now 3 months after againnnn problems with auto update.

I can generator again a new cert adjust my dns records again and the next 3 months again generate new certificates etc etc. I would like to wipe everything of LE out, away from my server and start over and hopefully this time it will work or fix the current configuration. Please somebody help me to fix the recurring problem every 90 days i don’t know what to do anymore???

I read many topics here on the forum and searched with google for hours every 90 days but nothing that helped me or maybe I just don’t understand. So I surrender and post this message.

Hello,

If you wish to manually setup DNS records for validation, then you need to use the certbot certonly command to issue the certificate, as you did 3 months ago. These DNS records only authorize you to issue certificates for up to 30 days (or less), after 30 days you need to set new DNS records.

certbot renew is used for non-interactive (non-manual) renewal, which requires auth-hook scripts to automatically setup the DNS TXT records for dns-01 validation.

If you wish to setup automatic DNS-based renewal that works with your DNS host (easyDns), then maybe look into using Dehydrated rather than Certbot, since Dehydrated directly supports easyDns (via Lexicon):

Hi _az,

Ow okay its not that simple just add dns records and forget about it. Okay gonna look into dehydrated tomorrow since its in the middle of the night here right now and need to go to sleep. You mentioned my domain registrar so thats interesting to get this auto renew working with dehydrated and easydns. I will post feedback after I figured dehydrated out.

thanks man!

@_az

Certbot also works with DNS based records

I wrote a guide about it here: Tutorial - Certbot Cloudflare DNS with Apache Web Servers on Ubuntu 16.10

@pfg do you know if the packaging stuff got sorted out i.e. being able to install certbot with the DNS Lexicon Authenticaticators

@_az - it’s not that i am trying to say dehydrated or other clients (such as acme.sh) aren’t as good as certbot but there is no need to “chuck Certbot out” because it seems to be missing functionality

Andrei

All I’ll say that is that it is an ongoing disappointment for me that alternate ACME clients are not featured more prominently.

I look forward to expanded DNS auth support in Certbot.

that is a valid point however the challenge i have seen in the last 18 months is that clients written by certain web control panels and providers have really not delivered

users of said products/clients come on to the let’s encrypt forum with a lot of anger and accusations and while the wider community tries to help there is not much Let’s Encrypt as a CA following a standard protocol can do (ACME)

If every client writer owned their stuff I wouldn’t be at all hesitant recommending them

There are great client writers and i mentioned a few in a recent post Why Let's Encrypt Made Me A Better Cryptographer

What I am finding in reality - look at these clients -> thanks -> why did you recommend that client it’s not working etc make it work for me

As I said I am very careful in recommending clients to those I know actively participate in this forum and actively help the community

Andrei

to clarify more Le’ts Encrypt keeps a list of clients https://letsencrypt.org/docs/client-options/

@jsha does a great job of working with the client writers to make sure things work as they should

However there is no way to force client writers to do the right/good practise thing

Andrei

I promised to give feedback about my cert renewal problem. The thing is I don’t understand why I need to use another piece of software to automate the renewal of my certificate. I just generated a new certificate and the next 90 days I will generate again a new certificate and again and again. Its frustrating but oke. Its a free working certificate with a handicap

The big idea about Let's Encrypt is automation. The reason you're getting errors is because aparently you need to manually add the DNS challenge to your DNS service. As you need to do this manually, I guess you're not able to write a script to do it for you.

If you look at the certbot source code, you can see there are MANY plugins written for a lot of different DNS service providers or general DNS update protocol. Perhaps one of those can be useful in your situation.

I, a self-proclaimed, semi-expert on certbot () don't even really know on how to install those plugins unfortunately. But I'm sure the near future will include those plugins with the basic releases of certbot.

So please don't dismiss certbot yet or see it as a handicap. See it as "work in progress".

I’m sorry you had a bad experience, and I’m sorry for my role in it. The problem is that using DNS renewal means having to interact with your DNS provider (e.g. easyDns), and as of today, there is no widely adopted way to update nameservers.

You could keep using Certbot with automatic renewal if you either figured out how to use the built-in Lexicon plugin (for which I can’t find any documentation) or wrote a script to implement the easyDNS update step, using the easyDNS API.

e.g.

sudo pip install dns-lexicon

auth.sh (fill in EASYDNS credentials):

#!/bin/bash
lexicon easydns --auth-username="EASYDNS_API_TOKEN" --auth-token="EASYDNS_API_KEY" \
create "${CERTBOT_DOMAIN}" TXT --name "_acme-challenge.${CERTBOT_DOMAIN}" \
--content "${CERTBOT_VALIDATION}"

# tune sleep based on how long easyDNS updates take to apply to their nameservers
sleep 30

cleanup.sh (fill in EASYDNS credentials):

#!/bin/bash
lexicon easydns --auth-username="EASYDNS_API_TOKEN" --auth-token="EASYDNS_API_KEY" \
delete "${CERTBOT_DOMAIN}" TXT --name "_acme-challenge.${CERTBOT_DOMAIN}" \
--content "${CERTBOT_VALIDATION}"

Should get you auto-renewal (subject to whatever mistakes I made typing this):

certbot --manual --manual-auth-hook ./auth.sh --manual-cleanup-hook ./cleanup.sh --preferred-challenges=dns  --register-unsafely-without-email
--agree-tos --manual-public-ip-logging-ok -d kostons.net

@ahaw021 as an ACME client author supporting a considerable deployment base, I have to mention that Certbot is not exactly a paragon of virtue itself. It has some really questionable UX decisions (such as the mess with certonly not mentioning that it doesn’t support autorenewal without auth hooks) as well as using a language/runtime with an extremely complicated dependency story, ending up with (very avoidable) situations as you currently have with the DNS plugins + certbot-auto. I don’t want to flame the software and REALLY appreciate that it is supported by EFF and the wonderful forum members here, but dogmatically using Certbot because it is “blessed” but fails to provide a straightforward solution to OP’s problems seems totally stubborn and irrational to me.

Sorry OP for derailing your thread.

Sorry I used the term handicap. Its just I have so little time and something seeming so logic and simple as auto renewing a certificate takes so much time and problems. I don´t understand why this complexity? I appreciate the effort of LE making the Internet a safer place for everybody. Every 90 days I forget that for a moment i’m sorry for that.

@_az Thank you a lot for the detailed help I am going to try to set it up. I have another 3 months time to fiddle with it

Today I wanted to start the auto renew option with your example code. It seems the EasyDNS API is in beta stage and there are no new users allowing to participate at the moment. Sadly I can’t try your example scripts.

https://easydns.com/blog/2013/01/09/announcing-easyapi-the-rest-api-for-easydns-now-in-beta/

I was in the same position, resulting in my post here. I took the suggestion to switch to cloudflare for DNS (keeping my domain registration at easyDNS), and am using acme.sh with that service. It works very smoothly. Cloudflare is free for DNS, has an apparently-well-supported API, and frankly their DNS record editor is much nicer than easyDNS’s (IMO, of course).

I'm sorry to hear that. I would suggest they are not a suitable DNS host if they are so far behind the competition.

Luckily lexicon supports a wide array of DNS hosts, so you have the option to use any of them, including the one @danb35 has recommended to you, with only tiny adjustments to the lexicon command (or indeed use acme.sh as suggested).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.