Why won't certbot renew my SSL certificate?
I ran the following commands:
sudo service nginx stop
sudo /usr/bin/certbot renew
And I received the following messages during the renewal:
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert ($DOMAIN.com) from /etc/letsencrypt/renewal/$DOMAIN.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
And later on,
The following certs were successfully renewed:
/etc/letsencrypt/live/test.$DOMAIN.com/fullchain.pem (success)
The following certs could not be renewed:
/etc/letsencrypt/live/$DOMAIN.com/fullchain.pem (failure)
In my letsencrypt.log file I see the following:
2019-12-20 11:18:44,423:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2019-12-20 11:18:44,423:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2019-12-20 11:18:44,425:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 130, in prepare
self._initialized.prepare()
File "/usr/lib/python2.7/site-packages/certbot/plugins/manual.py", line 90, in prepare
self.option_name('auth-hook')))
PluginError: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
What is causing this? Why is test.$DOMAIN.com renewing the SSL certificate, but not $DOMAIN.com?
1 Reply
It looks like this might be an error with the configuration of your auto-renewal script.
Doing a bit of digging, it appears the issue is that sudo /usr/bin/certbot renew
is a noninteractive command. I believe you should be able to run the following command:
certbot certonly --manual -d $DOMAIN.com
As for why the subdomain was able to renew, but not the main domain I would recommend reviewing /etc/letsencrypt/renewal/$DOMAIN.com.conf
and comparing it to /etc/letsencrypt/renewal/test.$DOMAIN.com.conf
to see if there are any difference between how the two were created. Specifically I would see if /etc/letsencrypt/renewal/test.$DOMAIN.com.conf
includes a line that mentions --manual-auth-hook
or even just auth-hook
that is not included in the /etc/letsencrypt/renewal/$DOMAIN.com.conf
file. You can read more about editing that file at the certbot documentation page. This section specifically talks about pre and post validation hooks which is mentioned in the error you received.
I hope this helps point you in the right direction. If you have any other questions, comments, or concerns, please don't hesitate to let us know.