Hello. I'm now trying to upgrade my domains, but there's an error. Not sure what this means. Does it mean I have to install Certbot for these domains again? Urgent...as our renewal needs to happen in the next 24 hours. Thank you so much for help!
Attempting to renew cert from /etc/letsencrypt/renewal/MYDOMAIN.io.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
You originally obtained the certificate using the --manual plugin. Unfortunately thatâs not compatible with automated renewal, unless you provide your own scripts to perform the âmanualâ steps automatically.
If youâre in a hurry, you can renew the certificate now by requesting a new one the same way you obtained the original one, eg certbot certonly --manual or certbot-auto certonly --manual.
If you want help setting up automated renewal, please provide some more information about your setup (the template questions below appear when you post in the âHelpâ category):
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I donât know):
Iâm using a control panel to manage my site (no, or provide the name and version of the control panel):
How can I reset the certs on all these domains that may have been set up manually? It was done by my predecessor, so I donât know what command was executed.
Weâre on Nginx (1.10.3) on CentOS (7.3.1611). The domain is you-bank . org
Our domains (DNS) are managed at Digital Ocean. The server is a Digital Ocean box. The domains themselves (registrar) are at Amazon Route 53. I have access to the websites and for âchallenge-responseâ can use either some HTML file or DNS.
What command should I use to reissue the certs so they continue to renew automatically in the future with a simple crontab command like âcertbox renewâ?
Actually Iâm told this command was executed to create the certs:
certbot certonly -a webroot --webroot-path=/home/yb -d you-bank.org -d www.you-bank.org
So there was no mention of ââmanualâ. Why did it get installed manually? Thank you for any recommendation on how we can fix this issue, and how to run this command properly for new domains in the future so theyâre auto-renewable.
I donât believe that command you were told was actually what was issued. Someone used the dns-01 challenge for this, which they appear to have manually set. If you change the corresponding lines as follows, it will match the command you showed, but this still looks wrong. It seems highly unlikely that your webroot path is actually/home/yb. You should verify this - it should point to the directory from which files are served for the root of your domain. Usually something like /var/www/html or /usr/share/nginx/html.
Thank you for this. This worked for the main domain you-bank . org. However, how can I do the same for a subdomain, apply . you-bank . org?
I entered the following into /etc/letsencrypt/renewal/apply.you-bank.org.conf â
# renew_before_expiry = 30 days
version = 0.14.1
archive_dir = /etc/letsencrypt/archive/apply.you-bank.org
cert = /etc/letsencrypt/live/apply.you-bank.org/cert.pem
privkey = /etc/letsencrypt/live/apply.you-bank.org/privkey.pem
chain = /etc/letsencrypt/live/apply.you-bank.org/chain.pem
fullchain = /etc/letsencrypt/live/apply.you-bank.org/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
webroot-path = /home/youbank
pref-challs = http-01,
installer = nginx
account = 51ab0aa536a6ad6568546ed62976de99
Note that this is a subdomain that will be pointed by CNAME to a whole different server, so the âwebrootâ is just fake. I donât technically need the webroot path, but donât know how to specify a CNAME domain.
So I now execute the command as I had done with the main domain, but now with the subdomain:
# certbot certonly -a webroot --webroot-path=/home/youbank -d apply.you-bank.org
This gives me a long winded error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for apply.you-bank.org
Using the webroot path /home/youbank for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. apply.you-bank.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://apply.you-bank.org/.well-known/acme-challenge/Bhxuv-Cdomp__80VASH1hr8RZ0v_jtOna3PQLVKrYfw: "<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,max"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: apply.you-bank.org
Type: unauthorized
Detail: Invalid response from
http://apply.you-bank.org/.well-known/acme-challenge/Bhxuv-Cdomp__80VASH1hr8RZ0v_jtOna3PQLVKrYfw:
"<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta
name="viewport" content="width=device-width,initial-scale=1,max"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
If the subdomain is pointed to another server (doesnât matter if itâs a CNAME or not) then you should normally run certbot on the other server to get a certificate for it.
Thank you @jmorahan. But it never worked that way. The https://subdomain . you-bank . org only works if our Nginx has some kind of SSL/cert enabled. Or am I missing something? The CNAME is at a DNS level. So technically a userâs browser should already redirect https://subdomain.. link to the corredt destination, if one enters the correct https. However, if one just enters http:// (without the httpS) then what happens? Will the DNS redirect to the http equivalent of the destination, and the logic to then 301 that to the httpS version is on that destination server too?
Yes (although that's not how I'd put it). If a user visits http://subdomain.you-bank.org their browser will look up the DNS for that subdomain. If it finds a CNAME it will follow that and do another lookup until it finds an IP address. Then it will connect to that IP address over HTTP, and it's up to that server to respond with a redirect to HTTPS.
You seem to be using Heroku for that subdomain, is that correct? And it seems to already have a Let's Encrypt certificate that's valid until March. Perhaps that's because Heroku provides automatic Let's Encrypt integration?
If you also want it to redirect from HTTP to HTTPS, you'll have to configure that in the software running on that subdomain; I suppose that would be either within Heroku's configuration or the app you're running there. I'm not familiar with Heroku but maybe someone else here is.