【原创】自动续期 Let’s Enctypt SSL 证书失败的问题
相关环境
-
Ubuntu 18.04
-
Certbot 1.13
-
snap 2.49
问题描述
使用 certbot renew 快过期的证书时,重新签发失败,提示错误是:An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/zhuolin.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Failed to renew certificate zhuolin.xyz with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/zhuolin.xyz/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
问题原因
直接原因就是申请证书的时候使用了 --manual 选项,而 --manual 是交互式命令行的选项,使用该选项需要用户手动输入某些数据进行。
申请证书时使用的命令会自动生成一个配置文件,如:
/etc/letsencrypt/renewal/zhuolin.xyz.conf
certbot renew 时会读取 /etc/letsencrypt/renewal/zhuolin.xyz.conf 文件,但 renew 命令是非交互式的命令,
解决方法
1、查看之前的配置文件
如下配置文件是根据申请证书时使用的命令自动生成的。
$ cat /etc/letsencrypt/renewal/zhuolin.xyz.conf
可以看到 authenticator = manual 的配置,manual 表示需要用户交互输入的方式进行申请证书,由于 certbot renew 是非交互式的命令,所以使用这个配置重新签发证书会报错。
2、更新配置
参考:
https://certbot.eff.org/docs/using.html#config-file
将 authenticator 改为 nginx,另需确保 server 是 v02 的 URL。
# renew_before_expiry = 30 days
version = 1.9.0
archive_dir = /etc/letsencrypt/archive/zhuolin.xyz
cert = /etc/letsencrypt/live/zhuolin.xyz/cert.pem
privkey = /etc/letsencrypt/live/zhuolin.xyz/privkey.pem
chain = /etc/letsencrypt/live/zhuolin.xyz/chain.pem
fullchain = /etc/letsencrypt/live/zhuolin.xyz/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 53c49a63d1261d1dbf3734733d79e181
pref_challs = dns-01,
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
installer = nginx
然后再使用 certbot renew 进行重新签发就可以了。
3、也可以使用 certbot certonly 进行重签
示例:
$ sudo certbot certonly -d *.zhuolin.xyz --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for *.zhuolin.xyz
Performing the following challenges:
dns-01 challenge for zhuolin.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.zhuolin.xyz with the following value:
VQxLvZ8RxkZB5VbwqWA0wKvH6IcaLJXxYigA9
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/zhuolin.xyz/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/zhuolin.xyz/privkey.pem
Your certificate will expire on 2021-06-02. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
附录
照个前面的方法操作 还是报错, 逼不得已 又重新签发了下 成功了
单指重新签发需要重新解析DNS 为什么第一种方法