问题描述
执行 certbot renew 产生如下错误:
# certbot renew /usr/lib/python2.7/site-packages/pkg_resources/py2_warn.py:22: UserWarning: Setuptools will stop working on Python 2 ************************************************************ You are running Setuptools on Python 2, which is no longer supported and >>> SETUPTOOLS WILL STOP WORKING <<< in a subsequent release (no sooner than 2020-04-20). Please ensure you are installing Setuptools using pip 9.x or later or pin to `setuptools<45` in your environment. If you have done those things and are still encountering this message, please comment in https://github.com/pypa/setuptools/issues/1458 about the steps that led to this unsupported combination. ************************************************************ sys.version_info < (3,) and warnings.warn(pre + "*" * 60 + msg + "*" * 60) Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/harbor.example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',) Attempting to renew cert (harbor.example.com) from /etc/letsencrypt/renewal/harbor.example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/harbor.example.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/harbor.example.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s)
当时证书是这样申请的:
certbot certonly --manual --preferred-challenges dns -d harbor.example.com
系统环境:CentOS Linux release 7.4.1708 (Core)
问题原因
当我们使用 --manual 选项,并使用 DNS 质询时,每次都要设置不同的 DNS TXT 记录。
问题就在这里,当我们 certbot renew 时,这是个自动化过程,而 certbot 无法处理这种场景。
解决办法
我们可以使用插件解决这个问题,插件在本质上还是调用 DNS 服务的 API 设置 DNS TXT 记录。
在 CentOS 7.x 中:Cloudflare DNS 可以使用 python2-certbot-dns-cloudflare 插件;Google Cloud DNS 可以使用 python2-certbot-dns-google 创建;DigitalOcean DNS 可以使用 python2-certbot-dns-digitalocean 插件,参考 Welcome to certbot-dns-digitalocean’s documentation! 文档,具体细节不再展开。
我们用的是阿里云的 DNS 管理,那就要使用阿里云的插件:
# 安装 Certbot 和 certbot-dns-aliyun # 如果使用 Python 2 Certbot 需要自行调整: pip3.6 install certbot-dns-aliyun # 前往 https://ram.console.aliyun.com 申请阿里云子账号并授予 AliyunDNSFullAccess 权限 # 创建 AccessKey AccessToken cat > /etc/letsencrypt/dns-aliyun-credentials.ini <<EOF certbot_dns_aliyun:dns_aliyun_access_key = 12345678 certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef EOF chmod 600 /etc/letsencrypt/dns-aliyun-credentials.ini certbot certonly \ -a certbot-dns-aliyun:dns-aliyun \ --certbot-dns-aliyun:dns-aliyun-credentials /etc/letsencrypt/dns-aliyun-credentials.ini \ -d harbor.example.com \
相关文章
「Certbot」- 在内网中申请证书的方法
「Certbot」- 安装
「Certbot」- ocsp.int-x3.letsencrypt.org Read timed out
「Certbot」- SERVFAIL looking up CAA for
「Certbot」- ImportError: 'pyOpenSSL' module missing required functionality
参考文献
I can’t renew cert
使用 Certbot 自动申请并续订阿里云 DNS 免费泛域名证书