Trying to automate renewals


#1

First step, I try a dry-run and this is what I get (domain name replaced by ‘domain’)

"
#certbot-2 renew --dry-run

Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/domain.conf with version 0.30.2 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (domain) from /etc/letsencrypt/renewal/domain.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
"

Conf file:
"

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/domain
cert = /etc/letsencrypt/live/domain/cert.pem
privkey = /etc/letsencrypt/live/domain/privkey.pem
chain = /etc/letsencrypt/live/domain/chain.pem
fullchain = /etc/letsencrypt/live/domain/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
account = 7c6c3413190fb20d8b41d21d9795a514
#pref_challs = dns-01,
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
"

If I change the conf file to

"

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/domain
cert = /etc/letsencrypt/live/domain/cert.pem
privkey = /etc/letsencrypt/live/domain/privkey.pem
chain = /etc/letsencrypt/live/domain/chain.pem
fullchain = /etc/letsencrypt/live/domain/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
account = 7c6c3413190fb20d8b41d21d9795a514
pref_challs = dns-01,http-01
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
domain = /var/www/domain
"

I get:

"
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/domain.conf with version 0.30.2 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (domain) from /etc/letsencrypt/renewal/domain.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS… Skipping.
"

Ideas?

Thanks!


#2

Remove the dns-01 entry, as that isn’t possible with the webroot authenticator.


#3

Thanks for the reply.

Already tried that, this is the error:

"
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/domain.conf with version 0.30.2 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (domain) from /etc/letsencrypt/renewal/domain.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS… Skipping.
"


#4

Does your certificate include a wildcard?


#5

no, just plain domain.


#6

I would delete that line altogether and let it choose on its’ own.


#7

Could we see the output of certbot certificates?


#8

same error:
"
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS… Skipping.
"


#9

here it is:
root@y # certbot-2 certificates

Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/domain.com.conf with version 0.30.2 of Certbot. This might not work.

Certificate Name: domain.com
Domains: domain.com *.domain.com
Expiry Date: 2019-05-09 12:14:01+00:00 (VALID: 66 days)
Certificate Path: /etc/letsencrypt/live/domain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.com/privkey.pem


#10

Euhm, @vanmorrison, you do realise that you do have a wildcard domain included, right?


#11

And that wildcard is the reason for this error. By Let’s Encrypt policies, wildcard certificates can only be validated using the DNS-01 method. The webroot plugin isn’t able to use this method (because it doesn’t have anything to do with the content served by your web server, only the records in your DNS zone).


#12

Hello, yes, I have finally seen the light!
Thank you for your time and support, keep up the good work!