Unable to manually renew certs


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
oath.coach and others

I ran this command:
sudo certbot renew --manual

It produced this output:
saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/oath.coach.conf


Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’)
Attempting to renew cert (oath.coach) from /etc/letsencrypt/renewal/oath.coach.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/oath.coach/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/oath.coach/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

My web server is (include version):

n/a performing manual install

The operating system my web server runs on is (include version):

n/a using manual renew and install

My hosting provider, if applicable, is:

Go Daddy

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

unknown

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.33.0


#2

Hi,

How do you got the certificate initially?
Did you used DNS validation?

Thank you


#3

Yes, the initial certificate was done manually with DNS validation.


#4

Unfortunately, because the philosophy of Let’s Encrypt includes a very strong believe in *automation, the authors of certbot refuse to let you use the certbot renew in a interactive manner.

You see, because you’ve used the manual plugin without any specific automated hooks (like the error says), certbot would like to ask you some stuff… Like, "Please add the following value to a TXT DNS record for _acme-challenge.blahblah".

Because you don’t have those hooks and certbot wants to ask you some questions, but the developers refuse to add the possibility to let certbot actually ask you those stuff when ran in renew mode, you need to renew in another way.

Best way would to automate certbot, either through one of the DNS plugins, if possible or perhaps script your own script to add (and remove) the TXT records to your DNS provider and use those scripts through the hooks already mentioned in the error message.

Otherwise, you should run certbot without the renew, but with the same options that you used to get your certificates in the first place.

It’s a real pitty the certbot developers are pretty stubborn. They don’t really understand that if people could renew automatically, they would. They don’t understand they are forcing users that can’t automated things, to run certbot anyway but in that case with more command line options and with more stuff to go wrong. Which makes life even MORE hard for the user.


#5

Thank you for the helpful suggestions! It is a pity that the developers are so hard-nosed about it, especially since if I could automate the process, I would, but Go Daddy is somewhat against allowing customers to use tools for SSL other than buying the SSL service from them.

Anyway, since I was able to manually create the certificate a couple of months ago, how do you recommend that I get a new certificate from a local command line in order to port it over to Go Daddy? I have full access to the web server and the DNS settings


#6

The same command that you used the first time. certbot might ask you if you want to renew it, just say ‘yes’.


#7

Hi @Geordon

your certificate has four domain names:

CN=oath.coach (5850)
	18.01.2019
	18.04.2019
expires in 2 days	
*.oath.coach, *.oathcoaching.com, oath.coach, oathcoaching.com - 4 entries

So start with

sudo certbot -d *.oath.coach -d *.oathcoaching.com -d oath.coach -d oathcoaching.com --manual

Perhaps add

-i apache

so the certificate is installed.


#8

Thank you, @JuergenAuer I would have ended up getting there eventually, but I appreciate you filling me in with that command line. Just as a side note, when adding the --manual switch, certbot wants the command to start “certbot certonly --manual”


#9

Digging in information floods allowed me to find the below article, which would allows you to use certbot manual mode with GoDaddy DNS API. However, since that’s posted half year ago, it might be outdated. Please use as your own reference…

Thank you