Why won't certbot renew my SSL certificate?
I ran the following commands:
sudo service nginx stop sudo /usr/bin/certbot renew
And I received the following messages during the renewal:
Cert is due for renewal, auto-renewing... Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',) Attempting to renew cert ($DOMAIN.com) from /etc/letsencrypt/renewal/$DOMAIN.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
And later on,
The following certs were successfully renewed: /etc/letsencrypt/live/test.$DOMAIN.com/fullchain.pem (success) The following certs could not be renewed: /etc/letsencrypt/live/$DOMAIN.com/fullchain.pem (failure)
In my letsencrypt.log file I see the following:
2019-12-20 11:18:44,423:INFO:certbot.renewal:Cert is due for renewal, auto-renewing... 2019-12-20 11:18:44,423:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None 2019-12-20 11:18:44,425:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively. Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 130, in prepare self._initialized.prepare() File "/usr/lib/python2.7/site-packages/certbot/plugins/manual.py", line 90, in prepare self.option_name('auth-hook'))) PluginError: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
What is causing this? Why is test.$DOMAIN.com renewing the SSL certificate, but not $DOMAIN.com?
It looks like this might be an error with the configuration of your auto-renewal script.
Doing a bit of digging, it appears the issue is that
sudo /usr/bin/certbot renew is a noninteractive command. I believe you should be able to run the following command:
certbot certonly --manual -d $DOMAIN.com
As for why the subdomain was able to renew, but not the main domain I would recommend reviewing
/etc/letsencrypt/renewal/$DOMAIN.com.conf and comparing it to
/etc/letsencrypt/renewal/test.$DOMAIN.com.conf to see if there are any difference between how the two were created. Specifically I would see if
/etc/letsencrypt/renewal/test.$DOMAIN.com.conf includes a line that mentions
--manual-auth-hook or even just
auth-hook that is not included in the
/etc/letsencrypt/renewal/$DOMAIN.com.conf file. You can read more about editing that file at the certbot documentation page. This section specifically talks about pre and post validation hooks which is mentioned in the error you received.
I hope this helps point you in the right direction. If you have any other questions, comments, or concerns, please don't hesitate to let us know.