Unable to renew my wildcard domain certificate

mikekgr · September 11, 2020, 8:43am

Dear Sirs, I have the following problem and I kindly asking for your help. Thanks

My domain is: biogr.gr and *.biogr.gr

I ran this command: from cron: /usr/bin/certbot renew --post-hook ‘service postfix restart; service nginx restart; service dovecot restart’

It produced this output:
Processing /etc/letsencrypt/renewal/biogr.gr.conf

Cert is due for renewal, auto-renewing…
Non-interactive renewal: random delay of 433.6889597711228 seconds
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’)
Attempting to renew cert (biogr.gr) from /etc/letsencrypt/renewal/biogr.gr.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/biogr.gr/fullchain.pem (failure)

And from /var/log/letsencrypt/letsencrypt.log:
Please see it below marked as: ===== copy part of the log file =====

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020

The operating system my web server runs on is (include version): Ubuntu server 20.04.1

My hosting provider, if applicable, is: contabo

I can login to a root shell on my machine (yes or no, or I don’t know): Yes, full root access

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No, just ssh root access

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.0 installed using apt install …

===== copy part of the log file =====
2020-09-11 05:52:58,950:DEBUG:certbot.main:certbot version: 0.40.0
2020-09-11 05:52:58,951:DEBUG:certbot.main:Arguments: [’-q’]
2020-09-11 05:52:58,952:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-09-11 05:52:58,986:DEBUG:certbot.log:Root logging level set at 30
2020-09-11 05:52:58,986:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-09-11 05:52:59,021:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7ff475766d30> and installer <certbot.cli._Default object at 0x7ff475766d30>
2020-09-11 05:52:59,049:INFO:certbot.renewal:Cert not yet due for renewal
2020-09-11 05:52:59,050:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2020-09-11 05:52:59,057:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2020-10-08 09:40:48 UTC.
2020-09-11 05:52:59,058:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2020-09-11 05:52:59,058:INFO:certbot.renewal:Non-interactive renewal: random delay of 468.94089873584716 seconds
2020-09-11 06:00:48,057:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2020-09-11 06:00:48,063:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/plugins/disco.py”, line 130, in prepare
self._initialized.prepare()
File “/usr/lib/python3/dist-packages/certbot/plugins/manual.py”, line 87, in prepare
raise errors.PluginError(
certbot.errors.PluginError: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
2020-09-11 06:00:48,069:DEBUG:certbot.plugins.selection:No candidate plugin
2020-09-11 06:00:48,069:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2020-09-11 06:00:48,070:INFO:certbot.main:Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’)
2020-09-11 06:00:48,072:WARNING:certbot.renewal:Attempting to renew cert (biogr.gr) from /etc/letsencrypt/renewal/biogr.gr.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’). Skipping.
2020-09-11 06:00:48,080:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 449, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1202, in renew_cert
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, “certonly”)
File “/usr/lib/python3/dist-packages/certbot/plugins/selection.py”, line 235, in choose_configurator_plugins
diagnose_configurator_problem(“authenticator”, req_auth, plugins)
File “/usr/lib/python3/dist-packages/certbot/plugins/selection.py”, line 339, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’)

2020-09-11 06:00:48,081:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-09-11 06:00:48,082:ERROR:certbot.renewal: /etc/letsencrypt/live/biogr.gr/fullchain.pem (failure)
2020-09-11 06:00:48,083:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.40.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1382, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1287, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 473, in handle_renewal_request
raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

=====

JuergenAuer · September 11, 2020, 8:46am

Hi @mikekgr

you have created that certificate with --manual.

So you can't use renew.

Use the complete command with --manual again.

May be with the --cert-name option, so your current certificate name is re-used.

See

https://certbot.eff.org/docs/using.html

mikekgr · September 11, 2020, 9:35am

Dear Sir,
thanks a lot for your reply. I will follow your suggestion but please tell me, what can I do in order to have auto update again even if my initial way was manual ?

Thanks and Best Regards,
Mike Kranidis

JuergenAuer · September 11, 2020, 9:39am

Looks like you can't.

See your check, one month old - https://check-your-website.server-daten.de/?q=biogr.gr

Your name server ns04.iphost.gr must support an API and you have to use a client that supports that API.

Or you use one of these special clients (I'm not firm with these) with a CNAME and an own service support to create the required TXT entries.

mikekgr · September 11, 2020, 9:41am

Many thanks again.
Have a nice day !

Osiris · September 11, 2020, 11:56am

It might be possible to script together a script which can add and remove TXT records with generic HTTPS clients which would talk to your DNS control panel, just like you would in your browser.

But because every DNS zone control panel is different, this is something you really would need to find out yourself, as chances are very slim someone already did this for your DNS company.

These scripts then can be used to automate the manual plugin.

rg305 · September 11, 2020, 2:25pm

Is the benefit really worth all the work required to get it to work without an API?
Seems like without some API type standard to make the transaction cohesive, this is a short in the dark and quite possibly then a night mare to maintain; as the slightest change could break your script [start over].

[But I did wake up with my pessimist hat on today - LOL]

Osiris · September 11, 2020, 3:36pm

A better alternative might be acme-dns.

mikekgr · September 11, 2020, 4:29pm

Many Thanks to all of you for the helping hand.

Best Regards

system · October 11, 2020, 4:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.