前几个月发表了一篇文章《申请免费的 Let's Encrypt 通配符 SSL/TLS 证书》,如今2个多月过去,今天收到了来自 Let's Encrypt 的邮件,提醒我证书该续期了。

原本以为只需要执行 certbot-auto renew 就可以愉快的完成续期,但执行报错了,输出结果如下:

[root@VM_0_10_centos ~]# certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/yangdx.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (yangdx.com) from /etc/letsencrypt/renewal/yangdx.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/yangdx.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/yangdx.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

重点这句:An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.

原来,通配符域名证书不能简单的通过执行 certbot-auto renew 来完成续期,必须通过 --manual-auth-hook 参数提供一个身份验证脚本来自动完成 DNS TXT 记录的验证操作。

在 GitHub 上找到一个别人写好的插件:https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au

该插件目前支持阿里云 DNS腾讯云 DNS华为云 NDSGoDaddy(certbot 官方没有对应的插件)。

请访问上面链接获取帮助说明,此文不再阐述。

 

相关文章