Urgent: Error in renewal

Hello. I'm now trying to upgrade my domains, but there's an error. Not sure what this means. Does it mean I have to install Certbot for these domains again? Urgent...as our renewal needs to happen in the next 24 hours. Thank you so much for help!

Attempting to renew cert from /etc/letsencrypt/renewal/MYDOMAIN.io.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

You originally obtained the certificate using the --manual plugin. Unfortunately that’s not compatible with automated renewal, unless you provide your own scripts to perform the “manual” steps automatically.

If you’re in a hurry, you can renew the certificate now by requesting a new one the same way you obtained the original one, eg certbot certonly --manual or certbot-auto certonly --manual.

If you want help setting up automated renewal, please provide some more information about your setup (the template questions below appear when you post in the “Help” category):

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


How can I reset the certs on all these domains that may have been set up manually? It was done by my predecessor, so I don’t know what command was executed.

We’re on Nginx (1.10.3) on CentOS (7.3.1611). The domain is you-bank . org

Our domains (DNS) are managed at Digital Ocean. The server is a Digital Ocean box. The domains themselves (registrar) are at Amazon Route 53. I have access to the websites and for ‘challenge-response’ can use either some HTML file or DNS.

What command should I use to reissue the certs so they continue to renew automatically in the future with a simple crontab command like “certbox renew”?

Thank you.

Actually I’m told this command was executed to create the certs:

certbot certonly -a webroot --webroot-path=/home/yb -d you-bank.org -d www.you-bank.org

So there was no mention of “–manual”. Why did it get installed manually? Thank you for any recommendation on how we can fix this issue, and how to run this command properly for new domains in the future so they’re auto-renewable.

I notice a file was automatically created at /etc/letsencrypt/renewal/you-bank.org.conf

It contains the following:

# Options used in the renewal process
authenticator = manua 
installer = None
account = 51ab0aa536a6ad6568546ed62976de99
pref_challs = dns-01,
manual_public_ip_logging_ok = True

Is there any way I can just edit this file and change the cert updation to automatic?

I don’t believe that command you were told was actually what was issued. Someone used the dns-01 challenge for this, which they appear to have manually set. If you change the corresponding lines as follows, it will match the command you showed, but this still looks wrong. It seems highly unlikely that your webroot path is actually /home/yb. You should verify this - it should point to the directory from which files are served for the root of your domain. Usually something like /var/www/html or /usr/share/nginx/html.

authenticator = webroot
webroot-path = /home/yb
pref-challs = http-01,

You might also consider setting installer = nginx or installer = apache, so that the certificates will be reloaded automatically.

1 Like

Thank you for this. This worked for the main domain you-bank . org. However, how can I do the same for a subdomain, apply . you-bank . org?

I entered the following into /etc/letsencrypt/renewal/apply.you-bank.org.conf

# renew_before_expiry = 30 days
version = 0.14.1
archive_dir = /etc/letsencrypt/archive/apply.you-bank.org
cert = /etc/letsencrypt/live/apply.you-bank.org/cert.pem
privkey = /etc/letsencrypt/live/apply.you-bank.org/privkey.pem
chain = /etc/letsencrypt/live/apply.you-bank.org/chain.pem
fullchain = /etc/letsencrypt/live/apply.you-bank.org/fullchain.pem

# Options used in the renewal process
authenticator = webroot
webroot-path = /home/youbank
pref-challs = http-01,
installer = nginx
account = 51ab0aa536a6ad6568546ed62976de99

Note that this is a subdomain that will be pointed by CNAME to a whole different server, so the ‘webroot’ is just fake. I don’t technically need the webroot path, but don’t know how to specify a CNAME domain.

So I now execute the command as I had done with the main domain, but now with the subdomain:

# certbot certonly -a webroot --webroot-path=/home/youbank -d apply.you-bank.org

This gives me a long winded error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for apply.you-bank.org
Using the webroot path /home/youbank for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. apply.you-bank.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://apply.you-bank.org/.well-known/acme-challenge/Bhxuv-Cdomp__80VASH1hr8RZ0v_jtOna3PQLVKrYfw: "<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,max"

 - The following errors were reported by the server:

   Domain: apply.you-bank.org
   Type:   unauthorized
   Detail: Invalid response from
   "<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta
   name="viewport" content="width=device-width,initial-scale=1,max"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Not sure what to do this with this error?

If the subdomain is pointed to another server (doesn’t matter if it’s a CNAME or not) then you should normally run certbot on the other server to get a certificate for it.

Thank you @jmorahan. But it never worked that way. The https://subdomain . you-bank . org only works if our Nginx has some kind of SSL/cert enabled. Or am I missing something? The CNAME is at a DNS level. So technically a user’s browser should already redirect https://subdomain.. link to the corredt destination, if one enters the correct https. However, if one just enters http:// (without the httpS) then what happens? Will the DNS redirect to the http equivalent of the destination, and the logic to then 301 that to the httpS version is on that destination server too?

Yes (although that's not how I'd put it). If a user visits http://subdomain.you-bank.org their browser will look up the DNS for that subdomain. If it finds a CNAME it will follow that and do another lookup until it finds an IP address. Then it will connect to that IP address over HTTP, and it's up to that server to respond with a redirect to HTTPS.

You seem to be using Heroku for that subdomain, is that correct? And it seems to already have a Let's Encrypt certificate that's valid until March. Perhaps that's because Heroku provides automatic Let's Encrypt integration?

If you also want it to redirect from HTTP to HTTPS, you'll have to configure that in the software running on that subdomain; I suppose that would be either within Heroku's configuration or the app you're running there. I'm not familiar with Heroku but maybe someone else here is.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.