Struggling to renew certificate

I’m trying to renew my certificate on my local mac. I run sudo certbot renew

and I get

Processing /etc/letsencrypt/renewal/
Cert is due for renewal, auto-renewing...
Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

I’m tried a variety of other flags including --manual but I get the same result. I saw the references to --manual-auth-hook in the User Guide but it’s a bit over my head to be honest.

I’m using certbot version 0.13.0

When I originally made the cert, I documented my process here:

Any help would be appreciated. Thank you!

Hi @newtang,

Thanks for your enthusiasm for Let’s Encrypt expressed in your blog post!

Usually --manual doesn’t work well with automated renewal. The certbot renew interface is essentially intended for automated, unattended renewal, and so it’s not willing to prompt you for anything, but as you saw when you originally obtained the certificate, the --manual form does prompt you to indicate when you’ve made the requested change to your site.

There is a different form for interactive (non-unattended?) renewals which is OK with --manual, which would look something like

certbot certonly --cert-name

If your cert is expiring more than 30 days from now, you would add

certbot certonly --cert-name --force-renewal

to indicate that you really want to renew the cert now.

These forms say that you want a new version of the existing cert that’s referred to as (which I took from the directory name in your blog post), using the same authentication method and other details as before.

Another option would be to try installing and running Certbot on the web server itself, if you have the ability to do so. This is the most common Certbot use case, and has the advantage that you can use --webroot to allow Certbot to place the /.well-known/acme-challenge files for itself (without your “manually” doing so). If you use that method, certbot renew can also work for unattended renewals because Certbot understands how to complete this step by itself in an unattended fashion.

One of the other clients, but I’m forgetting which one at the moment, has some really nice support for a “remote webroot” concept (that is, for automatically satisfying the authentication challenge by creating that file, even when not running Certbot directly on the web server).

You might be thinking of getssl.

Thanks for the response @schoen! It turns out Heroku recently released Automated Certificate Management which is pretty straightforward.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.