Certbot-auto not renewing on cron job

Question

I have the following set up via cron:

/usr/sbin/certbot-auto renew --force-renew --quiet --post-hook "/sbin/service httpd reload" >> /var/log/letsencrypt/letsencrypt.log 2>&1

I found out this is not renewing the certificate and when I tried running the command manually, I get:

Attempting to renew cert (foo.com) from /etc/letsencrypt/renewal/foo.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/foo.com/fullchain.pem (failure)

I couldn't find the original article that I used to set this up but I can't see why I would need to use --manual-auth-hook if I am trying to do this in an automated fashion. Can someone please let me know why this error message is popping up and what I would need to fix this so that the cron runs automatically w/o error? My guess is that I need to add some kind of script that would authenticate via dns or http but Im not 100% sure on that.

Do all domains that are covered by the certificate still have a dns record pointing to the server's IP? — digijay, Nov 14 '18 at 21:29

score 2 · Answer 1 · answered Nov 27 '18 at 22:38

I'm not sure why this error occurs but I ran into the same problem recently and had to renew the cert manually using:

certbot-auto certonly --apache -d foo.com

The success message emitted by this command included a snippet specifically stating that I would be able to renew this certificate automatically in the future using "certbot-auto renew".

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/foo.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/foo.com/privkey.pem
Your cert will expire on 2019-02-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"

I have a cron job that runs certbot-auto renew once a week and if I notice any issues I will come back and update this answer. If you don't hear back from me by 2019-02-25 it means the certificate was able to be renewed automatically after the manual renewal above.

I can confirm that the certificate in question was successfully renewed today (2019-01-29), so the solution above worked. — JamesG, Jan 29 '19 at 10:08
Thank you! After a long search your answer was finally the right one! — Akito, Apr 19 '19 at 14:13

Certbot-auto not renewing on cron job

1 Answers1