certbot renew DNS-01 wildcard domain PluginError manual-auth-hook letsencrypt

Posted on 2020-05-31

by cititic.com

certbot-auto renew An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively

certbot-auto renew --dry-run

Attempting to renew cert (cititic.com) from letsencrypt/renewal/web.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:

due to use DNS-01 challenge type [ref#1] for wildcard domain certificate before and this time try certbot-auto renew get above errors.
in order to solve the problem and let it run automatically in future i have to research the problem.

certbot introduced two parameters: --manual-auth-hook and --manual-cleanup-hook [ref#2] like this:
certbot certonly --manual --manual-auth-hook /path/to/http/authenticator.sh --manual-cleanup-hook /path/to/http/cleanup.sh -d secure.example.com
so we can use it for renew also.

the doc offered some example for it [ref#2] and you can modify it for your or find some plugin script ready to use directly.
/path/to/http/authenticator.sh
/path/to/http/cleanup.sh
Example usage for DNS-01 (Cloudflare API v4)

although you can use API-KEY and EMAIL as credentials for CF but the better way is use Tokens. and then you should add a token from your account and give Zone:Zone:Read and Zone:DNS:Edit permissions [ref#3].

when those done you can execute it perfect like this:
certbot-auto renew --manual-auth-hook="/your-authenticator.sh" --manual-cleanup-hook="/your-cleanup.sh" --post-hook="systemctl reload nginx"

Cert not yet due for renewal
The following certs are not due for renewal yet:
fullchain.pem expires on 2020-09-30 (skipped)
No renewals were attempted.

refers:
#1 https://letsencrypt.org/docs/challenge-types/
#2 https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks
#3 https://certbot-dns-cloudflare.readthedocs.io/en/stable/