Unable to renew a Certbot NGINX certificate

I have a NGINX server and I use Certbot to generate a Let's Encrypt certificate. I saw that my certificate was not renewing automatically despite the cron I had set up. I tried to renew it manually but I have an error.

My domain is: testpbx.kabia.eu

I ran this command:

certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/testpbx.kabia.eu
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (testpbx.kabia.eu) from /etc/letsencrypt/renewal/testpbx.kabia.eu produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/testpbx.kabia.eu/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/testpbx.kabia.eu/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

I ran this command:

apt install python3-certbot-nginx

It produced this output:

E: The package "python3-certbot-nginx" has no version that can be installed 

My web server is (include version): nginx version: nginx/1.14.2

The operating system my web server runs on is (include version): Debian 10

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

Welcome to the community @ProfChen

There are several things I see.

  1. You chose the manual option to get your original cert. You can manually re-run the same command you used originally to get another cert. To allow automated renew you must use the proper hook for the manual method. See these docs

  2. The HTTP challenge requires port 80 to be open on your server. Your port 80 is "filtered" so is not open. A firewall may be blocking. I see you do have port 443 open.

  3. You say you have nginx server but I see an Apache server responding to HTTPS (port 443) requests. Although, the cert returned for testpbs.kabia.eu expired on Feb16 and only has domain names related to cloud-kabia (not testpbx.kabia)

  4. Your Debian 10 system should support a snap install for certbot. Your 0.31.0 version is getting old. See these docs.

If this is not enough to resolve your problems please describe your system better and what you are trying to do.

4 Likes