Renewing Lets Encrypt certificates is as easy as issuing the command sudo certbot renew
. This will renew your expiring certificates with no additional effort. Read on to renew your SSL certificates now.
Lets Encrypt gives free SSL certificates for your website without chargin a dime. It even supports free wildcard SSL certificates as well.
If you have already issued SSL certificates, it is assumed that you already have OpenSSL and Certbot installed.
This article will explain how to renew SSL certificates in manual mode (obtaining certificate on a machine other than the target webserver).
First see which certificates are already in the store by issuing the command sudo certbot certificates
:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: example.com
Serial Number: 00ccccccccccccccccccccccccccc00
Key Type: RSA
Domains: example.com *.example.com
Expiry Date: 2021-06-08 02:39:50+00:00 (VALID: 26 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
So, let's issue the command to renew the SSL certificates (sudo certbot renew
):
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Failed to renew certificate example.com with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
When issuing this command, you will get an error. This is because any auth hook is not specified for renewing the certificate and authenticating this with the Lets Encrypt CA.
Since, you issued the certificate using manual method, you will have to renew the certificate using the same mode as well. So, let's try another way:
sudo certbot certonly --force-renew --cert-name example.com
Note that you can also use the domain names directly using the -d
flag followed by domain name. But since, this single name allows you to renew the certificate using same domains, it will be better suited. Let's see the output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not find ssl_module; not disabling session tickets.
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel):
Since, we are not on the webserver system, none of these options will suffice to renew the certificate. And you will have to cancel this by typing c.
Renewal
Now, that we have seen all the ways to fail. Let's see the correct way to renew the certificates:
sudo certbot certonly --manual --preferred-challenges dns -d example.com -d '*.example.com'
And you will have to follow the process as you followed while issuing the certificate in the first place: single domain SSL certificate or wildcard SSL certificate.