Trouble switching from a manual to regular cert


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dashboard.eliftruck.com

I ran this command: sudo certbot renew --dry-run

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/dashboard.eliftruck.com.conf

Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (dashboard.eliftruck.com) from /etc/letsencrypt/renewal/dashboard.eliftruck.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dashboard.eliftruck.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dashboard.eliftruck.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hi There,

So initially I setup by my with a manual cert from Let’s Encrypt…because at the time there were DNS issues. So right now I’m using a manual cert from Let’s Encrypt and it works great but will expire on April. I want to switch to a regular cert, so I can do automated renewals (and not renew manually every 3 months).

I tried the renew tool (see above) and basically it complained that I was using a manual cert so this wouldn’t be possible?

So that is fine…I would like to switch to a non-manual cert. I tried entering this into the command line:

sudo certbot --apache -d dashboard.eliftruck.com -d elift.freshinup.com

I entered 1 & 1 for the options. It congratulated me on creating the certs…but my cert is still due on April and when I try to do auto-renew it still complains I have a manual cert.

Thanks in advance for any help.


#2

Hi @smithaa02,

Could you run certbot certificates to see which certificates you have installed?


#3

[quote=“schoen, post:2, topic:54873”]
certbot certificates
[/quote]Yes…here are the results:

root@dashboard:/etc/apache2/sites-enabled# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: dashboard.eliftruck.com
Domains: dashboard.eliftruck.com elift.freshinup.com
Expiry Date: 2018-04-15 20:40:27+00:00 (VALID: 41 days)
Certificate Path: /etc/letsencrypt/live/dashboard.eliftruck.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dashboard.eliftruck.com/privkey.pem

When I manually create the certs, I did specify these paths in sites-enabled/dashboard.eliftruck.com.conf and sites-available/dashboard.eliftruck.com.conf
eg

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/dashboard.eliftruck.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dashboard.eliftruck.com/privkey.pem


#4

Thanks!

How recently did you try the new command? Could you also post the contents of /etc/letsencrypt/renewal/dashboard.eliftruck.com?


#5

[quote=“smithaa02, post:1, topic:54873”]
sudo certbot --apache -d dashboard.eliftruck.com -d elift.freshinup.com
[/quote]You asked what about the last time I entered the command. I did so recently yesterday and just did so again.

When I enter:

sudo certbot --apache -d dashboard.eliftruck.com -d elift.freshinup.com

This seems to work good. But when I try to renew using sudo certbot renew --dry-run I get the following error:


Processing /etc/letsencrypt/renewal/dashboard.eliftruck.com.conf

Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (dashboard.eliftruck.com) from /etc/letsencrypt/renewal/dashboard.eliftruck.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dashboard.eliftruck.com/fullchain.pem (failure)

You then asked for the contents of /etc/letsencrypt/renewal/dashboard.eliftruck.com

They are:

root@dashboard:/etc/letsencrypt/renewal# cat dashboard.eliftruck.com.conf

renew_before_expiry = 30 days

version = 0.19.0
archive_dir = /etc/letsencrypt/archive/dashboard.eliftruck.com
cert = /etc/letsencrypt/live/dashboard.eliftruck.com/cert.pem
privkey = /etc/letsencrypt/live/dashboard.eliftruck.com/privkey.pem
chain = /etc/letsencrypt/live/dashboard.eliftruck.com/chain.pem
fullchain = /etc/letsencrypt/live/dashboard.eliftruck.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
installer = None
account = 7d16b595bd8abe0aa0d0c83fdf6f7608
manual_public_ip_logging_ok = True


#6

So, usually that --apache command should have updated the [renewalparams] section to remember to use the Apache method in the future. I’m not sure why it didn’t here.

Could you try these things?

(1) certbot --version
(2) sudo certbot --apache -d dashboard.eliftruck.com -d elift.freshinup.com --force-renewal
(3) grep apache /etc/letsencrypt/renewal/dashboard.eliftruck.com.conf

If you don’t see authenticator = apache there at the end, then could you also post the corresponding log file that will be the newest one in /var/log/letsencrypt?


#7
  1. root@dashboard:~# certbot --version
    certbot 0.19.0

2)root@dashboard:~# sudo certbot --apache -d dashboard.eliftruck.com -d elift.freshinup.com --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for dashboard.eliftruck.com
tls-sni-01 challenge for elift.freshinup.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. elift.freshinup.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b538907d36307f8dd4b1292460db7a95.e1ce7d1ef21cd7c7964866a23fdeb987.acme.invalid from [2605:de00:1:1:4a:49:0:fc]:443. Received 2 certificate(s), first certificate had names “*.webfaction.com, webfaction.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: elift.freshinup.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    b538907d36307f8dd4b1292460db7a95.e1ce7d1ef21cd7c7964866a23fdeb987.acme.invalid
    from [2605:de00:1:1:4a:49:0:fc]:443. Received 2 certificate(s),
    first certificate had names “*.webfaction.com, webfaction.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  1. grep apache /etc/letsencrypt/renewal/dashboard.eliftruck.com.conf

This comes up blank.

  1. The log file for /var/log/letsencrypt/letsencrypt.log is long…so I’ve added it as a web link: http://dashboard.eliftruck.com/lets_encrypt_log.txt

#8

So, I don’t see the “congratulations” message here, but rather an error (in this case possibly related to IPv6: you have an AAAA record advertising an IPv6 address for your site, but it might not be configured in the same way as the IPv4 address).

Is it possible that you misinterpreted the output of your previous --apache command as a success? That seems likely to me because you have only ever issued one valid Let’s Encrypt certificate for your domain

https://crt.sh/?Identity=%dashboard.eliftruck.com&iCAID=16418

which I assume is then the --manual one rather than a subsequent --apache one.

The command that you used does change the default behavior, but only when the certificate is successfully issued.

One thing to investigate might be the IPv6 issue. In the future, you might also encounter a different issue using --apache with your current version of Certbot:

However, it seems that this issue didn’t arise for you in this case because renewals of previously-issued certificates, when using the same Let’s Encrypt account ID, are exempt.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.