Unable to renew a standalone certificate

Animesh_Bulusu · September 13, 2017, 5:50am

I ran this command: sudo certbot renew

It produced this output:

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (animesh.blog) from /etc/letsencrypt/renewal/animesh.blog.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

My web server is (include version): standalone

The operating system my web server runs on is (include version): Debian Testing

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

My SSL certificate is due for renewal by tomorrow. I just tried to renew it and got the above error. This will be the first renewal. Initially I created the certificate successfully using the following command and then uploaded a .well-known/filename file onto my site for verification.

sudo certbot certonly --standalone -d animesh.blog

Kindly let me know if this can be fixed and how or if I need to go for a new certificate.

Thanks

jared.m · September 13, 2017, 6:53am

Are you sure you used that exact command originally? Standalone would not have you place a challenge file in that directory.

Could you please post the contents of /etc/letsencrypt/renewal/animesh.blog.conf?

Animesh_Bulusu · September 13, 2017, 7:07am

I was under the impression I did it this way. I have nginx installed in my laptop at that time, but I am not really sure I used the nginx way.

May using - manual way? I am not remembering unfortunately.

Here is the animesh.blog.conf

# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/animesh.blog
cert = /etc/letsencrypt/live/animesh.blog/cert.pem
privkey = /etc/letsencrypt/live/animesh.blog/privkey.pem
chain = /etc/letsencrypt/live/animesh.blog/chain.pem
fullchain = /etc/letsencrypt/live/animesh.blog/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = manual
installer = None
account = ...

jared.m · September 13, 2017, 7:12am

Yup, that's the issue! You can't really use manual mode for automated (scripted) renewals because it requires you to manually do something! (Well, you can, but it requires flags telling Certbot what commands to execute during the manual phase, which you would normally do yourself.)

So, let's start with some basics. What's your setup like? Is there a reason you went with manual? I would typically recommend webroot, apache, or nginx in most cases. Standalone is an option, but requires stopping your webserver during the process, so that's normally not preferable.

Animesh_Bulusu · September 13, 2017, 7:19am

I followed the steps from the gitlab article

where it says

Since we are running on GitLab's servers instead, we have to do a bit of manual work:

$ ./letsencrypt-auto certonly -a manual -d YOURDOMAIN.org

I ran this with certbot instead of letsencrypt-auto, I think.

I set this up on my laptop running Debian Testing. I have nginx up and running all time but I don't use it to run the blog locally.

schoen · September 13, 2017, 4:57pm

If you want automated renewals, you’ll have to find a way to script the authentication process. (Otherwise, you can manually re-run the same command that you used to obtain the certificate, which will perform a manual renewal.) Is that tutorial accurate for your setup? Is your domain hosted on GitLab’s servers instead of your own servers?

Animesh_Bulusu · September 14, 2017, 1:23am

Domain is hosted by iwantmyname.com and only the blog is hosted on gitlab, but the tutorial still worked for me as I could create it initially. I will try running the command again and get back to you.

Animesh_Bulusu · September 14, 2017, 2:31am

Yes, my blog is a static blog deployed to gitlab servers automatically after every push. In gitlab settings, there is a page to add the .pem file manually

I just ran the following command and uploaded the acme challenge file as instructed and it renewed the certifcate successfully

sudo certbot certonly -a manual -d animesh.blog

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
...
To non-interactively renew *all* of your certificates, run
"certbot renew"

So I guess this is the only way to renew for a cert created manually. Then to paste again the .pem files in gitlab settings manually is quite inconvenient. I will have to find a way to script the authentication process.

system · October 14, 2017, 2:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.