无法续订 Certbot NGINX 证书

无法续订 Certbot NGINX 证书

我有一台 NGINX 服务器,并使用 Certbot 生成 Let's Encrypt 证书。我发现尽管我设置了 cron,但我的证书并未自动更新。我尝试使用以下命令手动更新:

$ certbot renew --cert-name pbx.info.eu --nginx
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). 
The requested nginx plugin does not appear to be installed certbot.

所以我执行了这个命令:

$ sudo apt install python3-certbot-nginx  
E: The package "python3-certbot-nginx" has no version that can be installed 

Debian 10certbot 的版本是0.31.0

当我运行 certbot renew 时,我总是收到相同的错误消息

$ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/pbx.info.eu
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (pbx.info.eu) from /etc/letsencrypt/renewal/pbx.info.eu produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/pbx.info.eu/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/pbx.info.eu/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

以下是/etc/letsencrypt/renewal/pbx.info.eu.conf

$ cat /etc/letsencrypt/renewal/pbx.info.eu.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/pbx.info.eu
cert = /etc/letsencrypt/live/pbx.info.eu/cert.pem
privkey = /etc/letsencrypt/live/pbx.info.eu/privkey.pem
chain = /etc/letsencrypt/live/pbx.info.eu/chain.pem
fullchain = /etc/letsencrypt/live/pbx.info.eu/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 
pref_challs = dns-01,
authenticator = manual
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

答案1

此配置看起来您首先使用 DNS-01 质询获取了此证书。您是手动完成的吗(呃,这有什么意义呢,Let's Encrypt 就是为了实现自动化)?

无论如何,如果您不需要仅使用 DNS-01 质询才能使用的功能(例如通配符证书),则可以恢复为 HTTP-01 质询。为此,请删除对此证书的所有引用,并请求具有相同名称的新证书。这次,请确保您使用的是 Nginx 插件,包括“身份验证器”和“安装程序”。这就是在 Let's Encrypt 论坛上建议

或者你可以尝试设置首选挑战: certbot renew --preferred-challenges http --nginx [domain]。执行此操作一次,它应该会将其记录到续订文件中,然后后续续订只需使用“certbot renew”即可。这看起来与您的情况完全一样。

相关内容