When renew Domain cert use DNS API


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

mote001.com

I ran this command:

./certbot-auto renew

It produced this output:

Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (mote001.com-0001) from /etc/letsencrypt/renewal/mote001.com-0001.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mote001.com-0001/fullchain.pem (failure)

My web server is (include version):

Nginx

The operating system my web server runs on is (include version):

centos 6.9

My hosting provider, if applicable, is:

net.cn

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

My config

renew_before_expiry = 30 days

version = 0.22.0
archive_dir = /etc/letsencrypt/archive/mote001.com-0001
cert = /etc/letsencrypt/live/mote001.com-0001/cert.pem
privkey = /etc/letsencrypt/live/mote001.com-0001/privkey.pem
chain = /etc/letsencrypt/live/mote001.com-0001/chain.pem
fullchain = /etc/letsencrypt/live/mote001.com-0001/fullchain.pem

Options used in the renewal process

[renewalparams]
manual_public_ip_logging_ok = True
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual

Thank you All


#2

Hi @nicelizhi,

Do you have an API for updating your DNS records?

The error message says that you haven’t configured Certbot to use a particular DNS API, but instead that you obtained the certificate by making the changes to the DNS records manually. If so, then you’ll need to use the same command that you originally ran in order to renew your certificate.

The certbot renew command only performs non-interactive renewals. So, it doesn’t have a way to stop and prompt you to perform DNS updates at the appropriate moment in the renewal process.

If you configure Certbot to use a DNS provider API, certbot renew can perform an unattended renewal.


#3

@schoen Thank you your reply!

This is my create cert command. but now i want renew it. how do it ?

./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d “*.mote001.com” --manual --preferred-challenges dns-01 certonly

Than you


#4

You can run that same command again.


#5

@schoen Thank you ,I do it ,it ok now.

if i want renew auto, what do i need to do ?

Thank you


#6

You want it “automated” and “--manual” …

That seems to be a contradiction - but I could be wrong.


#7

@rg305 Thank you your reply

I try it.


#8

Hi,

I’m afraid you would need to spend lots of time making / finding API scripts since there is no scripts now…

Thank you


#9

…or implement acme-dns…

Edit: Or, I guess, use the one at auth.acme-dns.io.


#10

In Certbot, you can use --manual automatically with an auth script, which is the traditional way to do automated DNS API renewals. However, you need to have an auth script that works with your DNS provider’s API.

Nowadays there are also some more DNS API plugins, again for specific DNS providers’ APIs.

If your DNS provider doesn’t provide an API (or a supported API), you can also use a CNAME of the _acme-challenge record to a different DNS provider, including that acme-dns instance or CloudFlare or a number of other options. Then you can use the DNS API with the provider that’s the target of the CNAME.


#11

Now that is a really neat trick!


#12

We have quite a few forum threads discussing it in various situations:

https://community.letsencrypt.org/search?q=acme-challenge%20cname

Often we’ve suggested this when people have DNS hosting that has no API, but lets them create static records. Arguably, it has an overall security benefit to use this in every case (because then you don’t have to give your Let’s Encrypt client application DNS API credentials that could be used change your main site’s A and MX records!). This is also why the acme-dns tool exists (so that you can host your own mini-DNS server that can be updated via an API after setting a CNAME for the _acme-challenge TXT record).


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.