Migrate from hook-script to Certbot DNS Plugin

un99known99 · April 16, 2022, 9:02am

Hi, I do have the “old” hook-script in place and wanted to remove it, unfortunately the old how-to-setup webpages have been removed, so I am unsure in how to reset the hook-script setup and to setup the new dns-plugin

Also does
certbot certonly
–authenticator dns-desec
–dns-desec-credentials /etc/letsencrypt/secrets/$DOMAIN.ini
-d “$DOMAIN”
-d “*.$DOMAIN”
needs to be part of /lib/systemd/system/certbot.service (and replacing
ExecStart=/usr/bin/certbot -q renew with above statement )?

And what do to here:

How to Migrate

“1. Remove certbot configuration for your domain.” ?

Thx,
Mike

un99known99 · April 16, 2022, 6:42pm

$ sudo /usr/local/bin/certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/mydomain.dedyn.io.conf

Failed to renew certificate mydomain.dedyn.io with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’)

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/mydomain.dedyn.io/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

un99known99 · April 16, 2022, 6:42pm

I had removed the manual hook.sh stuff

un99known99 · April 16, 2022, 7:08pm

Despite the docu is not too easy to read and follow at least I could force a renewal of my cert with the new DNS-Plug.

One question left:

What do I need to enter/change in cerbot.service???

Is
"ExecStart=/usr/local/bin/certbot -q renew" sufficient?

Or needs some config file to be submitted as well?

(as /usr/local/bin/certbot renew certonly --authenticator dns-desec --dns-desec-credentials /etc/letsencrypt/secrets/mydomain.dedyn.io.ini -d “mydomain.dedyn.io” -d “*.mydomain.dedyn.io” is NOT working)

SamLowry · April 18, 2022, 8:56pm

It’s actually not that complicated. The first time a certificate is successfully retrieved, certbot creates a configuration file for the domain in the ‘renewal’ subdirectory, i.e. ‘mydomain.dedyn.io.conf’. You should not change these unless you know exactly what you are doing!

To change anything, you just manually force a renew like you did, so

renew certonly --force-renewal --authenticator dns-desec --dns-desec-credentials /etc/letsencrypt/secrets/mydomain.dedyn.io.ini -d "mydomain.dedyn.io" -d "*.mydomain.dedyn.io"

should be enough.

Please check the path information. You also need to add ‘–force-renewal’ I think.

If successful, certbot changes the conf file and uses the new settings for further renewals, i.e. further changes are not necessary. Described as an example in the documentation under ‘Modifying the Renewal Configuration of Existing Certificates’ (look here).

un99known99 · April 21, 2022, 10:04am

Hi, thanks for the info, meanwhile was able to force the renew. For the certbot.service file I set

ExecStart=/usr/local/bin/certbot -q renew --authenticator dns-desec --dns-desec-credentials /etc/letsencrypt/.secrets/mydomain.dedyn.io.ini

does that work out?

Thanks,
Mike

SamLowry · April 21, 2022, 11:01am

I run certbot on Windows, but I assume you’re using ubuntu. There the certbot.service file is regularly executed by a systemd timer. Nothing really needs to be changed in this file. With the call ‘certbot -q renew’, certbot itself looks in the ‘renewal’ directory to see how the certificates were created and then renews them in the same way if necessary. Therefore, the command
certbot certonly (--force-renewal) --authenticator dns-desec --dns-desec-credentials /etc/letsencrypt/secrets/mydomain.dedyn.io.ini -d "mydomain.dedyn.io" -d "*.mydomain.dedyn.io"
is only needed once when creating the certificate for the first time (or to change the way the certificate should be created). A ‘certbot -q renew’ in the certbot.service file is then sufficient to renew all certificates.

You can test whether the renewal works in a terminal window with ‘certbot renew --dry-run’. If you only want to renew a specific certificate in between, use '‘certbot renew --cert-name “mydomain.dedyn.io”’. The documentation is very helpful.

un99known99 · April 21, 2022, 11:29am

Yes, running Linux (Raspian OS (Debian)).
Ok, perfect, thanks a ton, that answers the question(s)