Why won't certbot renew my SSL certificate?

Linode Staff

I ran the following commands:

sudo service nginx stop
sudo /usr/bin/certbot renew

And I received the following messages during the renewal:

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert ($DOMAIN.com) from /etc/letsencrypt/renewal/$DOMAIN.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

And later on,

The following certs were successfully renewed:
/etc/letsencrypt/live/test.$DOMAIN.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/$DOMAIN.com/fullchain.pem (failure)

In my letsencrypt.log file I see the following:

2019-12-20 11:18:44,423:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2019-12-20 11:18:44,423:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2019-12-20 11:18:44,425:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 130, in prepare
    self._initialized.prepare()
  File "/usr/lib/python2.7/site-packages/certbot/plugins/manual.py", line 90, in prepare
    self.option_name('auth-hook')))
PluginError: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.

What is causing this? Why is test.$DOMAIN.com renewing the SSL certificate, but not $DOMAIN.com?

1 Reply

Linode Staff

It looks like this might be an error with the configuration of your auto-renewal script.
Doing a bit of digging, it appears the issue is that sudo /usr/bin/certbot renew is a noninteractive command. I believe you should be able to run the following command:

certbot certonly --manual -d $DOMAIN.com

As for why the subdomain was able to renew, but not the main domain I would recommend reviewing /etc/letsencrypt/renewal/$DOMAIN.com.conf and comparing it to /etc/letsencrypt/renewal/test.$DOMAIN.com.conf to see if there are any difference between how the two were created. Specifically I would see if /etc/letsencrypt/renewal/test.$DOMAIN.com.conf includes a line that mentions --manual-auth-hook or even just auth-hook that is not included in the /etc/letsencrypt/renewal/$DOMAIN.com.conf file. You can read more about editing that file at the certbot documentation page. This section specifically talks about pre and post validation hooks which is mentioned in the error you received.

I hope this helps point you in the right direction. If you have any other questions, comments, or concerns, please don't hesitate to let us know.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct