The manual plugin is not working; The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)

I get the HTTPS by opening 80 port in my ec2 instance. And running this command:

sudo certbot --nginx -d api.geeknoon.com

this add some code in my nginx file:

sudo cat /etc/nginx/sites-available/geeknoon_server
server {
    server_name api.geeknoon.com;

    location = /favicon.ico { access_log off; log_not_found off ; }

    location /static/ { root /home/ubuntu/geeknoon_server; }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/ubuntu/geeknoon_server/geeknoon_server.sock;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/api.geeknoon.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/api.geeknoon.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = api.geeknoon.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name api.geeknoon.com;
    return 404; # managed by Certbot

}

and when i run thus: sudo certbot renew --dry-run

i get this error:

sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/api.geeknoon.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing
configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the ma
nual plugin non-interactively.',)
Attempting to renew cert (api.geeknoon.com) from /etc/letsencrypt/renewal/api.geeknoon.com.conf produced an une
xpected error: The manual plugin is not working; there may be problems with your existing configuration.        
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the ma
nual plugin non-interactively.',). Skipping.                                                                    

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/geeknoon.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing
configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the ma
nual plugin non-interactively.',)
Attempting to renew cert (geeknoon.com) from /etc/letsencrypt/renewal/geeknoon.com.conf produced an unexpected
error: The manual plugin is not working; there may be problems with your existing configuration.                
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the ma
nual plugin non-interactively.',). Skipping.                                                                    
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/api.geeknoon.com/fullchain.pem (failure)
/etc/letsencrypt/live/geeknoon.com/fullchain.pem (failure)                                                    

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/api.geeknoon.com/fullchain.pem (failure)
/etc/letsencrypt/live/geeknoon.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

I'm guessing this is not the first time you've used certbot to get a certificate for that hostname. Certbot doesn't just come up with the manual plugin out of nothing, I'm pretty sure you've used it in the past

Perhaps you could try combining both directives, i.e. --nginx and --dryrun to simulate the renewal without the manual plugin but with the nginx plugin. I'm not sure if the dry run will overwrite the renewal configuration file though for future renewals.

Edit:Just tested here with the apache plugin: it does manage to do the challenge through the apache authenticator, but the configuration doesn't get updated.

So you can test the nginx plugin with --dry-run --nginx, but you'll have to update your renewal configuration file in another way. Three options:

  • wait until renewal is close (Let's Encrypt advices to renew 60 days after issuance, i.e., 30 days before the expiration date of the certificate) and renew with certbot renew --nginx;
  • force renewal with the nginx plugin by adding --force-renewal just once. Note: this adds a little bit of strain on the Let's Encrypt resources if many people would just force renewals even if it isn't really necessary. Just one certificate out of thousands wouldn't make a difference though.
  • manually edit the renewal configuration file yourself to change authenticator = manual to authenticator = nginx.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.