「Certbot」- The manual plugin is not working

0

问题描述

执行 certbot renew 产生如下错误: 

# certbot renew
/usr/lib/python2.7/site-packages/pkg_resources/py2_warn.py:22: UserWarning: Setuptools will stop working on Python 2
************************************************************
You are running Setuptools on Python 2, which is no longer
supported and
>>> SETUPTOOLS WILL STOP WORKING <<<
in a subsequent release (no sooner than 2020-04-20).
Please ensure you are installing
Setuptools using pip 9.x or later or pin to `setuptools<45`
in your environment.
If you have done those things and are still encountering
this message, please comment in
https://github.com/pypa/setuptools/issues/1458
about the steps that led to this unsupported combination.
************************************************************
  sys.version_info < (3,) and warnings.warn(pre + "*" * 60 + msg + "*" * 60)
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/harbor.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (harbor.example.com) from /etc/letsencrypt/renewal/harbor.example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/harbor.example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/harbor.example.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

当时证书是这样申请的: 

certbot certonly --manual --preferred-challenges dns -d harbor.example.com

系统环境:CentOS Linux release 7.4.1708 (Core)

原因分析

当我们使用 –manual 选项申请证书时,需要使用 DNS 质询,来完成域名所有权的验证。当我们 certbot renew 时,这也是个自动化过程,而 certbot 无法进行 DNS 所有权的验证,而产生该错误。

解决方案

方案一、通过命令解决

当证书过期后,我们再次执行证书申请命令即可。然后按照提示再次完成 DNS 质询: 

certbot certonly --manual --preferred-challenges dns -d example.com

方案二、通过插件解决

我们需要使用插件解决这个问题,插件在本质上还是调用 DNS 服务的 API 设置 DNS TXT 记录。

在 CentOS 7.x 中:Cloudflare DNS 可以使用 python2-certbot-dns-cloudflare 插件;Google Cloud DNS 可以使用 python2-certbot-dns-google 创建;DigitalOcean DNS 可以使用 python2-certbot-dns-digitalocean 插件,参考 Welcome to certbot-dns-digitalocean’s documentation! 文档,具体细节不再展开。

我们用的是阿里云的 DNS 管理,那就要使用阿里云的 certbot-dns-aliyun 插件: 

# 安装 Certbot 和 certbot-dns-aliyun
# 如果使用 Python 2 Certbot 需要自行调整:
pip3.6 install certbot-dns-aliyun

# 前往 https://ram.console.aliyun.com 申请阿里云子账号并授予 AliyunDNSFullAccess 权限
# 创建 AccessKey AccessToken

cat > /etc/letsencrypt/dns-aliyun-credentials.ini <<EOF
certbot_dns_aliyun:dns_aliyun_access_key = 12345678
certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef
EOF

chmod 600 /etc/letsencrypt/dns-aliyun-credentials.ini

certbot certonly \
    -a certbot-dns-aliyun:dns-aliyun \
    --certbot-dns-aliyun:dns-aliyun-credentials /etc/letsencrypt/dns-aliyun-credentials.ini \
    -d harbor.example.com \

参考文献

I can’t renew cert
使用 Certbot 自动申请并续订阿里云 DNS 免费泛域名证书
Certbot manual renew – Server – Let’s Encrypt Community Support