问题描述
执行 certbot renew 产生如下错误:
# certbot renew
/usr/lib/python2.7/site-packages/pkg_resources/py2_warn.py:22: UserWarning: Setuptools will stop working on Python 2
************************************************************
You are running Setuptools on Python 2, which is no longer
supported and
>>> SETUPTOOLS WILL STOP WORKING <<<
in a subsequent release (no sooner than 2020-04-20).
Please ensure you are installing
Setuptools using pip 9.x or later or pin to `setuptools<45`
in your environment.
If you have done those things and are still encountering
this message, please comment in
https://github.com/pypa/setuptools/issues/1458
about the steps that led to this unsupported combination.
************************************************************
sys.version_info < (3,) and warnings.warn(pre + "*" * 60 + msg + "*" * 60)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/harbor.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (harbor.example.com) from /etc/letsencrypt/renewal/harbor.example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/harbor.example.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/harbor.example.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
当时证书是这样申请的:
certbot certonly --manual --preferred-challenges dns -d harbor.example.com
系统环境:CentOS Linux release 7.4.1708 (Core)
问题原因
当我们使用 --manual 选项,并使用 DNS 质询时,每次都要设置不同的 DNS TXT 记录。
问题就在这里,当我们 certbot renew 时,这是个自动化过程,而 certbot 无法处理这种场景。
解决办法
我们可以使用插件解决这个问题,插件在本质上还是调用 DNS 服务的 API 设置 DNS TXT 记录。
在 CentOS 7.x 中:Cloudflare DNS 可以使用 python2-certbot-dns-cloudflare 插件;Google Cloud DNS 可以使用 python2-certbot-dns-google 创建;DigitalOcean DNS 可以使用 python2-certbot-dns-digitalocean 插件,参考 Welcome to certbot-dns-digitalocean’s documentation! 文档,具体细节不再展开。
我们用的是阿里云的 DNS 管理,那就要使用阿里云的插件:
# 安装 Certbot 和 certbot-dns-aliyun
# 如果使用 Python 2 Certbot 需要自行调整:
pip3.6 install certbot-dns-aliyun
# 前往 https://ram.console.aliyun.com 申请阿里云子账号并授予 AliyunDNSFullAccess 权限
# 创建 AccessKey AccessToken
cat > /etc/letsencrypt/dns-aliyun-credentials.ini <<EOF
certbot_dns_aliyun:dns_aliyun_access_key = 12345678
certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef
EOF
chmod 600 /etc/letsencrypt/dns-aliyun-credentials.ini
certbot certonly \
-a certbot-dns-aliyun:dns-aliyun \
--certbot-dns-aliyun:dns-aliyun-credentials /etc/letsencrypt/dns-aliyun-credentials.ini \
-d harbor.example.com \
相关文章
「Certbot」- 在内网中申请证书的方法
「Certbot」- 安装
「Certbot」- ocsp.int-x3.letsencrypt.org Read timed out
「Certbot」- SERVFAIL looking up CAA for
「Certbot」- ImportError: 'pyOpenSSL' module missing required functionality
参考文献
I can’t renew cert
使用 Certbot 自动申请并续订阿里云 DNS 免费泛域名证书