Trying to automate renewals

vanmorrison · March 1, 2019, 2:36pm

First step, I try a dry-run and this is what I get (domain name replaced by ‘domain’)

"
#certbot-2 renew --dry-run

Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/domain.conf with version 0.30.2 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (domain) from /etc/letsencrypt/renewal/domain.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
"

Conf file:
"

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/domain
cert = /etc/letsencrypt/live/domain/cert.pem
privkey = /etc/letsencrypt/live/domain/privkey.pem
chain = /etc/letsencrypt/live/domain/chain.pem
fullchain = /etc/letsencrypt/live/domain/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
account = 7c6c3413190fb20d8b41d21d9795a514
#pref_challs = dns-01,
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
"

If I change the conf file to

"

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/domain
cert = /etc/letsencrypt/live/domain/cert.pem
privkey = /etc/letsencrypt/live/domain/privkey.pem
chain = /etc/letsencrypt/live/domain/chain.pem
fullchain = /etc/letsencrypt/live/domain/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
account = 7c6c3413190fb20d8b41d21d9795a514
pref_challs = dns-01,http-01
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
domain = /var/www/domain
"

I get:

"
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/domain.conf with version 0.30.2 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (domain) from /etc/letsencrypt/renewal/domain.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS… Skipping.
"

Ideas?

Thanks!

Osiris · March 1, 2019, 2:37pm

Remove the dns-01 entry, as that isn't possible with the webroot authenticator.

vanmorrison · March 1, 2019, 2:38pm

Thanks for the reply.

Already tried that, this is the error:

"
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/domain.conf with version 0.30.2 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (domain) from /etc/letsencrypt/renewal/domain.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS… Skipping.
"

Osiris · March 1, 2019, 2:42pm

Does your certificate include a wildcard?

vanmorrison · March 1, 2019, 2:43pm

no, just plain domain.

rg305 · March 2, 2019, 5:54pm

I would delete that line altogether and let it choose on its' own.

schoen · March 3, 2019, 6:39am

Could we see the output of certbot certificates?

vanmorrison · March 4, 2019, 8:17am

same error:
"
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS… Skipping.
"

vanmorrison · March 4, 2019, 8:18am

here it is:
root@y # certbot-2 certificates

Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/domain.com.conf with version 0.30.2 of Certbot. This might not work.

Certificate Name: domain.com
Domains: domain.com *.domain.com
Expiry Date: 2019-05-09 12:14:01+00:00 (VALID: 66 days)
Certificate Path: /etc/letsencrypt/live/domain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.com/privkey.pem

Osiris · March 4, 2019, 9:08pm

Euhm, @vanmorrison, you do realise that you do have a wildcard domain included, right?

schoen · March 4, 2019, 9:39pm

And that wildcard is the reason for this error. By Let’s Encrypt policies, wildcard certificates can only be validated using the DNS-01 method. The webroot plugin isn’t able to use this method (because it doesn’t have anything to do with the content served by your web server, only the records in your DNS zone).

vanmorrison · March 5, 2019, 9:06am

Hello, yes, I have finally seen the light!
Thank you for your time and support, keep up the good work!

system · April 4, 2019, 9:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auto-renew from cron (first attempt) Help	7	2903	June 3, 2019
Dry run certificate renewal Help	6	3094	December 27, 2018
Renew non Apache domain Help	9	397	September 29, 2022
Urgent: Error in renewal Server	10	3147	February 6, 2018
Renew when create manually Help	4	1532	November 16, 2021

Trying to automate renewals

renew_before_expiry = 30 days

Options used in the renewal process

renew_before_expiry = 30 days

Options used in the renewal process

Related topics