I have lots of certs which are renewed automatically using cerbot renew in cron. I have also 2 wildcard certs which are created by dns-challenge and can not auto-renewed. Is it possible to just skip these when certbot renew is called instead getting error mesg all the time?
I ran this command: certbot renew
The operating system my web server runs on is (include version): Debian 9
I can login to a root shell on my machine (yes or no, or I don't know): Yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0
I guess, because there is a file in the renewal directory which tells certbot to do so. This file is created when I create or manually renew the wildcard certs.
Here is the message:
Attempting to renew cert (xyz) from /etc/letsencrypt/renewal/xyz.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xyz/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
I am aware that the manual/dns certs can not automatically renewed because they need interaction. Thats why I want to just leave them out from the renewal call.
I will go ahead and try with changing ths expiry days from 30 to 100.
Thanks for your quick answers so far!
However, I am still wondering why there is just no option to run certbot renew and skip the manual certs. I found many people asking why they do get the error message with this kind of certs and the answer in most cases is, that certbot can not renew these certificates in the background because they need interaction. Well, why does certbot renew not just skip these certificate renewals?
The bigger the number the sooner it will try to renew - backwards!
They have fallen below 30 days and you now need to renew them (manually as you did previously).
Totally agree on that. But, the longer I think about it, the more I think it is a design failure in certbot program. If certbot is able to see that there is a manual cert without a manual-auth-hook and also knows that it is running non-interactively as the error message suggests, then it could just skip the renewal of the cert in question. No need to report an error or failure.
If we add the feature you're suggesting, the Community will be filled with "Why didn't I get a warning, now my site has an expired certificate and isn't accessible any longer, this costs me money and you're gonna pay!!!11"-like threads in no time.
Let's Encrypt is all about automation. You should not be using the manual plugin without auth-hooks. There's no issue if you have working auth-hooks. I don't think the dev team will invest time and effort to "fix" this, as there isn't really an issue to begin with, strictly speaking
You can try adding --allow-subset-of-names to keep certbot from stopping when it fails to authenticate any particular domain name. This (hopefully) would let you acquire certificates for domain names that can be automatically authenticated and leave the manual part to you.
@griffin It's not a domain failing here, but the whole certificate due to the forced interactive manual plugin. --allow-subset-of-names won't suddenly make the manual plugin non-interactive I'm afraid
The issue here probably is that a certbot cronjob running twice a day will notify the user running the cronjob that it failed... Twice a day.. For every day..
Yes, but we don't know if the wildcard was, or was not, included in a cert with other domains (not wildcards).
So you are BOTH correct:
When separate, @Osiris is correct.
When combined, @griffin is correct.
I'm not sure if certbot allows mixed validation types for a single certificate, but I'm thinking that the non-wildcard domain names on a certificate with a wildcard domain name will use dns-01 challenges, which are always available. This would cause all domain names to be skipped for such a certificate. I'm also not exactly sure if certbot fails out completely when a certificate renewal fails, thus skipping any remaining certificates to be renewed. I'm thinking not, but I don't immediately recall.