无法更新Certbot NGINX证书

Question

我有一个NGINX服务器，我使用Certbot生成一个让我们加密证书。我看到我的证书并没有自动更新，尽管我已经设置了cron。我尝试用命令手动更新它：

$ certbot renew --cert-name pbx.info.eu --nginx
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). 
The requested nginx plugin does not appear to be installed certbot.

所以我做了这个命令：

$ sudo apt install python3-certbot-nginx  
E: The package "python3-certbot-nginx" has no version that can be installed 

我在Debian 10上，而certbot的版本是0.31.0

当我运行certbot更新时，总是会收到相同的错误消息。

$ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/pbx.info.eu
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (pbx.info.eu) from /etc/letsencrypt/renewal/pbx.info.eu produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/pbx.info.eu/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/pbx.info.eu/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

以下是/etc/letsencrypt/renewal/pbx.info.eu.conf的内容

$ cat /etc/letsencrypt/renewal/pbx.info.eu.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/pbx.info.eu
cert = /etc/letsencrypt/live/pbx.info.eu/cert.pem
privkey = /etc/letsencrypt/live/pbx.info.eu/privkey.pem
chain = /etc/letsencrypt/live/pbx.info.eu/chain.pem
fullchain = /etc/letsencrypt/live/pbx.info.eu/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 
pref_challs = dns-01,
authenticator = manual
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

Answer 1

此配置看起来像您首先使用DNS-01挑战获得了此证书。你是用手做的吗(Errm，有什么意义，让我们加密是关于自动化的)？

无论如何，如果您不需要只使用DNS-01质询(例如通配符证书)可用的功能，则可以恢复到HTTP-01挑战。为此，请删除对此证书的所有引用，并请求同名的新证书。这一次，确保您使用的是Nginx插件，既包括“身份验证程序”，也包括“安装程序”。这就是关于我们加密论坛的建议。

或者你可以尝试设置首选的挑战：certbot renew --preferred-challenges http --nginx [domain]。这样做一次，它应该记录到更新文件，然后后续更新将与只是"certbot更新“工作。这看起来和你的案子一模一样。