「Certbot」- The manual plugin is not working @20210307

问题描述

执行 certbot renew 产生如下错误：

# certbot renew
/usr/lib/python2.7/site-packages/pkg_resources/py2_warn.py:22: UserWarning: Setuptools will stop working on Python 2
************************************************************
You are running Setuptools on Python 2, which is no longer
supported and
>>> SETUPTOOLS WILL STOP WORKING <<<
in a subsequent release (no sooner than 2020-04-20).
Please ensure you are installing
Setuptools using pip 9.x or later or pin to `setuptools<45`
in your environment.
If you have done those things and are still encountering
this message, please comment in
https://github.com/pypa/setuptools/issues/1458
about the steps that led to this unsupported combination.
************************************************************
  sys.version_info < (3,) and warnings.warn(pre + "*" * 60 + msg + "*" * 60)
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/harbor.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (harbor.example.com) from /etc/letsencrypt/renewal/harbor.example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/harbor.example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/harbor.example.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

当时证书是这样申请的：

certbot certonly --manual --preferred-challenges dns -d harbor.example.com

系统环境：CentOS Linux release 7.4.1708 (Core)

问题原因

当我们使用 --manual 选项，并使用 DNS 质询时，每次都要设置不同的 DNS TXT 记录。

问题就在这里，当我们 certbot renew 时，这是个自动化过程，而 certbot 无法处理这种场景。

解决办法

我们可以使用插件解决这个问题，插件在本质上还是调用 DNS 服务的 API 设置 DNS TXT 记录。

在 CentOS 7.x 中：Cloudflare DNS 可以使用 python2-certbot-dns-cloudflare 插件；Google Cloud DNS 可以使用 python2-certbot-dns-google 创建；DigitalOcean DNS 可以使用 python2-certbot-dns-digitalocean 插件，参考 Welcome to certbot-dns-digitalocean’s documentation! 文档，具体细节不再展开。

我们用的是阿里云的 DNS 管理，那就要使用阿里云的插件：

# 安装 Certbot 和 certbot-dns-aliyun
# 如果使用 Python 2 Certbot 需要自行调整：
pip3.6 install certbot-dns-aliyun

# 前往 https://ram.console.aliyun.com 申请阿里云子账号并授予 AliyunDNSFullAccess 权限
# 创建 AccessKey AccessToken

cat > /etc/letsencrypt/dns-aliyun-credentials.ini <<EOF
certbot_dns_aliyun:dns_aliyun_access_key = 12345678
certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef
EOF

chmod 600 /etc/letsencrypt/dns-aliyun-credentials.ini

certbot certonly \
    -a certbot-dns-aliyun:dns-aliyun \
    --certbot-dns-aliyun:dns-aliyun-credentials /etc/letsencrypt/dns-aliyun-credentials.ini \
    -d harbor.example.com \

相关文章

「Certbot」- 在内网中申请证书的方法
「Certbot」- 安装
「Certbot」- ocsp.int-x3.letsencrypt.org Read timed out
「Certbot」- SERVFAIL looking up CAA for
「Certbot」- ImportError: 'pyOpenSSL' module missing required functionality

参考文献

I can’t renew cert
使用 Certbot 自动申请并续订阿里云 DNS 免费泛域名证书