问题描述
执行 certbot renew 产生如下错误:
# certbot renew
/usr/lib/python2.7/site-packages/pkg_resources/py2_warn.py:22: UserWarning: Setuptools will stop working on Python 2
************************************************************
You are running Setuptools on Python 2, which is no longer
supported and
>>> SETUPTOOLS WILL STOP WORKING <<<
in a subsequent release (no sooner than 2020-04-20).
Please ensure you are installing
Setuptools using pip 9.x or later or pin to `setuptools<45`
in your environment.
If you have done those things and are still encountering
this message, please comment in
https://github.com/pypa/setuptools/issues/1458
about the steps that led to this unsupported combination.
************************************************************
sys.version_info < (3,) and warnings.warn(pre + "*" * 60 + msg + "*" * 60)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/harbor.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (harbor.example.com) from /etc/letsencrypt/renewal/harbor.example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/harbor.example.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/harbor.example.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
当时证书是这样申请的:
certbot certonly --manual --preferred-challenges dns -d harbor.example.com
系统环境:CentOS Linux release 7.4.1708 (Core)
原因分析
当我们使用 –manual 选项申请证书时,需要使用 DNS 质询,来完成域名所有权的验证。当我们 certbot renew 时,这也是个自动化过程,而 certbot 无法进行 DNS 所有权的验证,而产生该错误。
解决方案
方案一、通过命令解决
当证书过期后,我们再次执行证书申请命令即可。然后按照提示再次完成 DNS 质询:
certbot certonly --manual --preferred-challenges dns -d example.com
方案二、通过插件解决
我们需要使用插件解决这个问题,插件在本质上还是调用 DNS 服务的 API 设置 DNS TXT 记录。
在 CentOS 7.x 中:Cloudflare DNS 可以使用 python2-certbot-dns-cloudflare 插件;Google Cloud DNS 可以使用 python2-certbot-dns-google 创建;DigitalOcean DNS 可以使用 python2-certbot-dns-digitalocean 插件,参考 Welcome to certbot-dns-digitalocean’s documentation! 文档,具体细节不再展开。
我们用的是阿里云的 DNS 管理,那就要使用阿里云的 certbot-dns-aliyun 插件:
# 安装 Certbot 和 certbot-dns-aliyun
# 如果使用 Python 2 Certbot 需要自行调整:
pip3.6 install certbot-dns-aliyun
# 前往 https://ram.console.aliyun.com 申请阿里云子账号并授予 AliyunDNSFullAccess 权限
# 创建 AccessKey AccessToken
cat > /etc/letsencrypt/dns-aliyun-credentials.ini <<EOF
certbot_dns_aliyun:dns_aliyun_access_key = 12345678
certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef
EOF
chmod 600 /etc/letsencrypt/dns-aliyun-credentials.ini
certbot certonly \
-a certbot-dns-aliyun:dns-aliyun \
--certbot-dns-aliyun:dns-aliyun-credentials /etc/letsencrypt/dns-aliyun-credentials.ini \
-d harbor.example.com \
参考文献
I can’t renew cert
使用 Certbot 自动申请并续订阿里云 DNS 免费泛域名证书
Certbot manual renew – Server – Let’s Encrypt Community Support