Posted on 2020-05-31
certbot-auto renew --dry-run
Attempting to renew cert (cititic.com) from letsencrypt/renewal/web.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
due to use DNS-01 challenge type [ref#1] for wildcard domain certificate before and this time try certbot-auto renew get above errors.
in order to solve the problem and let it run automatically in future i have to research the problem.
certbot introduced two parameters: --manual-auth-hook and --manual-cleanup-hook [ref#2] like this:
certbot certonly --manual --manual-auth-hook /path/to/http/authenticator.sh --manual-cleanup-hook /path/to/http/cleanup.sh -d secure.example.com
so we can use it for renew also.
the doc offered some example for it [ref#2] and you can modify it for your or find some plugin script ready to use directly.
Example usage for DNS-01 (Cloudflare API v4)
although you can use API-KEY and EMAIL as credentials for CF but the better way is use Tokens. and then you should add a token from your account and give Zone:Zone:Read and Zone:DNS:Edit permissions [ref#3].
when those done you can execute it perfect like this:
certbot-auto renew --manual-auth-hook="/your-authenticator.sh" --manual-cleanup-hook="/your-cleanup.sh" --post-hook="systemctl reload nginx"
Cert not yet due for renewal
The following certs are not due for renewal yet:
fullchain.pem expires on 2020-09-30 (skipped)
No renewals were attempted.