Skip certs with manual plugin from certbot renew

I have lots of certs which are renewed automatically using cerbot renew in cron. I have also 2 wildcard certs which are created by dns-challenge and can not auto-renewed. Is it possible to just skip these when certbot renew is called instead getting error mesg all the time?

I ran this command: certbot renew
The operating system my web server runs on is (include version): Debian 9
I can login to a root shell on my machine (yes or no, or I don't know): Yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

1 Like

Hi and welcome to the community forum!

I'm a bit confused.
Are the wildcard certs due for renewal?
Why is certbot trying to renew them (and failing)?
[can you show the error message]

1 Like

Hi @Adspectus

check the config files of these two certificates.

There is a 30 days - parameter.

100 days -> no renew should happen.

1 Like

Yes, they are valid 90 days, like the others.

I guess, because there is a file in the renewal directory which tells certbot to do so. This file is created when I create or manually renew the wildcard certs.

Here is the message:

Attempting to renew cert (xyz) from /etc/letsencrypt/renewal/xyz.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xyz/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

I am aware that the manual/dns certs can not automatically renewed because they need interaction. Thats why I want to just leave them out from the renewal call.

1 Like

How many valid days are left?
[you can check with: certbot certificates]

1 Like

I have this line:

# renew_before_expiry = 30 days

I guess I have to uncomment and change the days? Does this survive the manual renewal process or will it be changed back to this default line?

1 Like

If you haven't specified a number the default is 30 days.
What says:
certbot certificates

1 Like

It says VALID: 28 days and VALID: 29 days resp.

I will go ahead and try with changing ths expiry days from 30 to 100.

Thanks for your quick answers so far!

However, I am still wondering why there is just no option to run certbot renew and skip the manual certs. I found many people asking why they do get the error message with this kind of certs and the answer in most cases is, that certbot can not renew these certificates in the background because they need interaction. Well, why does certbot renew not just skip these certificate renewals?

1 Like

The bigger the number the sooner it will try to renew - backwards!
They have fallen below 30 days and you now need to renew them (manually as you did previously).

1 Like

Ah, yes, of course. Then I will change it to 10 instead of 100. Thanks!

2 Likes

Renew X days before the cert expires.

1 Like

You can't please everyone.
If it "ignored" those then they would just expire and then we'd have a whole lot of other complaints.

1 Like

Totally agree on that. But, the longer I think about it, the more I think it is a design failure in certbot program. If certbot is able to see that there is a manual cert without a manual-auth-hook and also knows that it is running non-interactively as the error message suggests, then it could just skip the renewal of the cert in question. No need to report an error or failure.

1 Like

Agreed; but to cover all bases, there would have to be a user added switch to ensure the user wanted them ignored.

1 Like

If we add the feature you're suggesting, the Community will be filled with "Why didn't I get a warning, now my site has an expired certificate and isn't accessible any longer, this costs me money and you're gonna pay!!!11"-like threads in no time.

Let's Encrypt is all about automation. You should not be using the manual plugin without auth-hooks. There's no issue if you have working auth-hooks. I don't think the dev team will invest time and effort to "fix" this, as there isn't really an issue to begin with, strictly speaking :wink:

2 Likes

@Adspectus

You can try adding --allow-subset-of-names to keep certbot from stopping when it fails to authenticate any particular domain name. This (hopefully) would let you acquire certificates for domain names that can be automatically authenticated and leave the manual part to you.

1 Like

@griffin It's not a domain failing here, but the whole certificate due to the forced interactive manual plugin. --allow-subset-of-names won't suddenly make the manual plugin non-interactive I'm afraid :wink:

The issue here probably is that a certbot cronjob running twice a day will notify the user running the cronjob that it failed... Twice a day.. For every day..

2 Likes

I was just trying to give the OP what he asked for:

Keep in mind that renew tries to renew all certificates, not just the wildcard ones.

1 Like

Yes, but we don't know if the wildcard was, or was not, included in a cert with other domains (not wildcards).
So you are BOTH correct:
When separate, @Osiris is correct.
When combined, @griffin is correct.

1 Like

I'm not sure if certbot allows mixed validation types for a single certificate, but I'm thinking that the non-wildcard domain names on a certificate with a wildcard domain name will use dns-01 challenges, which are always available. This would cause all domain names to be skipped for such a certificate. I'm also not exactly sure if certbot fails out completely when a certificate renewal fails, thus skipping any remaining certificates to be renewed. I'm thinking not, but I don't immediately recall.

1 Like