Switching from manual to auto renew

I keep getting the following error when try to renew, i think my ssl is set to the old manual method and i would like to switch to the new automatique one, how can i do that please?

My domain is:

I ran this command:
sudo certbot renew --dry-run

It produced this output:
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (web-wallet.com) from /etc/letsencrypt/renewal/web-wallet.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/demo.web-wallet.com/fullchain.pem (failure)
/etc/letsencrypt/live/web-wallet.com/fullchain.pem (failure)

The operating system my web server runs on is (include version):
Ubuntu 18

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31

Hi @crashbdx

you can't use --dry-run if you have used --manual and if you don't have a manual-auth-hook script.

Change that or use the complete manual command again.

You have a wildcard certificate, which limits you to using the dns-01 challenge. This can only be automated, if there’s a DNS challenge available to add/remove the necessary TXT records automatically or you can script those functions yourself and use the --manual-auth-hook option (and --manual-cleanup-hook).

... or you can switch DNS providers to get one that has a proper API for an automated challenge to work.

Thank you everyone, yes i was doing it manually but recently for some reason the manual verification don’t work, i guess because of the wild card then so i wanted to change and switch to automatique but i don’t know how to transition from manual to automatique because when i run the following:

sudo certbot --nginx -d *.web-wallet.com -d web-wallet.com

i get this error:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

How do i change the authenticator?

If you want to use a wildcard certificate, you’re going to have to use the DNS plugin: https://certbot-dns-digitalocean.readthedocs.io/en/stable/

I encourage you not to use a wildcard certificate, unless you really, really need it.

It complicates life quite a lot, as it means you cannot use the relatively straightforward HTTP challenge (which is what--nginx uses).

If you can list all of your subdomains instead, that’s much easier, as you can use --nginx in the way you’ve tried above.

Thank you, up to now with the wildcard i was using this manual renew:

sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d web-wallet.com -d *.web-wallet.com

Was working but today i don’t know why, when i enter the new acme txt challenge in my dns, i test with lookup tools if deployed, it is, but the certbot find an old one each time…

Wait for a while, it’s probably just your authoritative dns servers that are slow.

Also, Certbot should be asking you to deploy two _acme-challenge TXT records.

One for the base domain, one for the wildcard domain.

Make sure you’re not accidentally overlooking one of them. I mention this because you only have one TXT record deployed right now.

Using the Certbot DNS DigitalOcean plugin would make all of this automatic and remove the error-prone manual part.

Just re did it right now and for some reason this time it worked … Certbot didnt gave me two challenge, only one for _acme-challenge.web-wallet.com

I tried several times a couple of hours ago and didnt work, Certbot was always showing an older challenge. Probably the server that is slow to propagate the txt?

Weird part is certbot in console said it was successfull:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/web-wallet.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/web-wallet.com/privkey.pem
Your cert will expire on 2020-11-01.

But if i checked online it still say it will expire in 7 days…
https://www.sslshopper.com/ssl-checker.html#hostname=web-wallet.com

There is no way from there to switch to the automatique version rather than having to do this every time?

You used certonly. Did you install the certificate and reload your webserver?

Thanks a lot, i didn’t restart nginx thats why.
So i better stay with manual rather than try to switch to automatique version?

No, you should definitely go automatic.

A possible reason for certbot not asking you to add two txt records might be that there's a cached authorization for the non-wildcard domain, obtained via http-01.

The command should look like this:

certbot run \
  --authenticator dns-digitalocean \
  --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini \
  --dns-digitalocean-propagation-seconds 60 \
  --installer nginx \
  -d web-wallet.com \
  -d '*.web-wallet.com'

If you want to reload any other services, you can add a --deploy-hook as well.

This command is to switch to automatic? can i do it now or should try next renewal?

You can do it whenever the rate limits make is sensible. But be advised that I have not tried that command and it probably needs to be refined.

Thanks a lot for the help, will read the doc a bit first :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.