A little note to self. So the certs for my sites were due for renewal, so as usual
I logged into my box and run sudo certbot renew .. and encountered the following
error:
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was:
PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (mysite.org-0001) from /etc/letsencrypt/renewal/mysite-0001.conf
produced an unexpected error: The manual plugin is not working;
there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with
--manual-auth-hook when using the manual plugin non-interactively.',).
Skipping.
So renewing a wildcard certificate is more involved that a standard certificate, from my reading, the process is almost the same as creating a new wildcard cert. There is apparently a way to automated this - more info later.
So the command that I use to re-generate wildcard certificate is:
sudo certbot certonly --manual -d *.mysite.org --agree-tos --no-bootstrap
--manual-public-ip-logging-ok --preferred-challenges dns-01
--server https://acme-v02.api.letsencrypt.org/directory
Running that command, a prompt will come up:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for mysite.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.mysite.org with the following value:
the-value-from-the-script
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Don’t press enter yet, now we need to go to the hosting admin and add a DNS
record. My site is hosted on DigitalOcean and
here is how it looks like:
When that’s done, we can hit enter, Certbot will verify that we are the owner of this domain by checking the DNS record, if all is well you will see the following:
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mysite.org-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mysite.org-0001/privkey.pem
Your cert will expire on 2021-04-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
And we are done, you can refresh the site now and the SSL warning should go away. If it doesn’t you might need to restart your webserver.
Auto renew wildcard certificate
Apparently I can autorenew the certificate using cerbot DNS plugin. For my case, I could use this cerbot-dns-digitalocean.
I shall looking into that in the future, the current manual process is not that super annoying as I only needed to do this every 3 months.