【原创】自动续期 Let’s Enctypt SSL 证书失败的问题

相关环境

  • Ubuntu 18.04

  • Certbot 1.13

  • snap 2.49

问题描述

使用 certbot renew 快过期的证书时,重新签发失败,提示错误是:An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.

$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/zhuolin.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Failed to renew certificate zhuolin.xyz with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/zhuolin.xyz/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

问题原因

直接原因就是申请证书的时候使用了 --manual 选项,而 --manual 是交互式命令行的选项,使用该选项需要用户手动输入某些数据进行。

申请证书时使用的命令会自动生成一个配置文件,如:

/etc/letsencrypt/renewal/zhuolin.xyz.conf

certbot renew 时会读取 /etc/letsencrypt/renewal/zhuolin.xyz.conf 文件,但 renew 命令是非交互式的命令,

解决方法

1、查看之前的配置文件

如下配置文件是根据申请证书时使用的命令自动生成的。

$ cat /etc/letsencrypt/renewal/zhuolin.xyz.conf

可以看到 authenticator = manual 的配置,manual 表示需要用户交互输入的方式进行申请证书,由于 certbot renew 是非交互式的命令,所以使用这个配置重新签发证书会报错。

2、更新配置

参考:

https://certbot.eff.org/docs/using.html#config-file

将 authenticator 改为 nginx,另需确保 server 是 v02 的 URL。

# renew_before_expiry = 30 days
version = 1.9.0
archive_dir = /etc/letsencrypt/archive/zhuolin.xyz
cert = /etc/letsencrypt/live/zhuolin.xyz/cert.pem
privkey = /etc/letsencrypt/live/zhuolin.xyz/privkey.pem
chain = /etc/letsencrypt/live/zhuolin.xyz/chain.pem
fullchain = /etc/letsencrypt/live/zhuolin.xyz/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 53c49a63d1261d1dbf3734733d79e181
pref_challs = dns-01,
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
installer = nginx

然后再使用 certbot renew 进行重新签发就可以了。

3、也可以使用 certbot certonly 进行重签

示例:

$ sudo certbot certonly -d *.zhuolin.xyz --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for *.zhuolin.xyz
Performing the following challenges:
dns-01 challenge for zhuolin.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.zhuolin.xyz with the following value:
VQxLvZ8RxkZB5VbwqWA0wKvH6IcaLJXxYigA9
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zhuolin.xyz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/zhuolin.xyz/privkey.pem
   Your certificate will expire on 2021-06-02. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

附录

参考:https://community.letsencrypt.org/t/an-authentication-script-must-be-provided-with-manual-auth-hook/74301/3

You may also like...

1 Response

  1. 匿名说道:

    照个前面的方法操作 还是报错, 逼不得已 又重新签发了下 成功了
    单指重新签发需要重新解析DNS 为什么第一种方法

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注