When renew Domain cert use DNS API

nicelizhi · May 14, 2018, 5:21am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

mote001.com

I ran this command:

./certbot-auto renew

It produced this output:

Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (mote001.com-0001) from /etc/letsencrypt/renewal/mote001.com-0001.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mote001.com-0001/fullchain.pem (failure)

My web server is (include version):

Nginx

The operating system my web server runs on is (include version):

centos 6.9

My hosting provider, if applicable, is:

net.cn

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

My config

renew_before_expiry = 30 days

version = 0.22.0
archive_dir = /etc/letsencrypt/archive/mote001.com-0001
cert = /etc/letsencrypt/live/mote001.com-0001/cert.pem
privkey = /etc/letsencrypt/live/mote001.com-0001/privkey.pem
chain = /etc/letsencrypt/live/mote001.com-0001/chain.pem
fullchain = /etc/letsencrypt/live/mote001.com-0001/fullchain.pem

Options used in the renewal process

[renewalparams]
manual_public_ip_logging_ok = True
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual

Thank you All

schoen · May 14, 2018, 5:26am

Hi @nicelizhi,

Do you have an API for updating your DNS records?

The error message says that you haven’t configured Certbot to use a particular DNS API, but instead that you obtained the certificate by making the changes to the DNS records manually. If so, then you’ll need to use the same command that you originally ran in order to renew your certificate.

The certbot renew command only performs non-interactive renewals. So, it doesn’t have a way to stop and prompt you to perform DNS updates at the appropriate moment in the renewal process.

If you configure Certbot to use a DNS provider API, certbot renew can perform an unattended renewal.

nicelizhi · May 14, 2018, 5:33am

@schoen Thank you your reply!

This is my create cert command. but now i want renew it. how do it ?

./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d “*.mote001.com” --manual --preferred-challenges dns-01 certonly

Than you

schoen · May 14, 2018, 6:00am

You can run that same command again.

nicelizhi · May 14, 2018, 6:10am

@schoen Thank you ,I do it ,it ok now.

if i want renew auto, what do i need to do ?

Thank you

rg305 · May 14, 2018, 6:51am

You want it “automated” and “--manual” …

That seems to be a contradiction - but I could be wrong.

nicelizhi · May 14, 2018, 8:43am

@rg305 Thank you your reply

I try it.

stevenzhu · May 14, 2018, 1:40pm

Hi,

I’m afraid you would need to spend lots of time making / finding API scripts since there is no scripts now…

Thank you

danb35 · May 14, 2018, 2:57pm

...or implement acme-dns...

Edit: Or, I guess, use the one at auth.acme-dns.io.

schoen · May 14, 2018, 4:11pm

In Certbot, you can use --manual automatically with an auth script, which is the traditional way to do automated DNS API renewals. However, you need to have an auth script that works with your DNS provider's API.

Nowadays there are also some more DNS API plugins, again for specific DNS providers' APIs.

If your DNS provider doesn't provide an API (or a supported API), you can also use a CNAME of the _acme-challenge record to a different DNS provider, including that acme-dns instance or CloudFlare or a number of other options. Then you can use the DNS API with the provider that's the target of the CNAME.

rg305 · May 14, 2018, 8:12pm

Now that is a really neat trick!

schoen · May 14, 2018, 8:34pm

We have quite a few forum threads discussing it in various situations:

https://community.letsencrypt.org/search?q=acme-challenge%20cname

Often we’ve suggested this when people have DNS hosting that has no API, but lets them create static records. Arguably, it has an overall security benefit to use this in every case (because then you don’t have to give your Let’s Encrypt client application DNS API credentials that could be used change your main site’s A and MX records!). This is also why the acme-dns tool exists (so that you can host your own mini-DNS server that can be updated via an API after setting a CNAME for the _acme-challenge TXT record).

system · June 13, 2018, 8:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.