Unable to renew a Certbot NGINX certificate

Question

I have a NGINX server and I use Certbot to generate a Let's Encrypt certificate. I saw that my certificate was not renewing automatically despite the cron I had set up. I tried to renew it manually with the command:

$ certbot renew --cert-name pbx.info.eu --nginx
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). 
The requested nginx plugin does not appear to be installed certbot.

So I did this command:

$ sudo apt install python3-certbot-nginx  
E: The package "python3-certbot-nginx" has no version that can be installed 

I am on Debian 10 and the version of certbot is 0.31.0

When I run certbot renew I always get the same error message

$ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/pbx.info.eu
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (pbx.info.eu) from /etc/letsencrypt/renewal/pbx.info.eu produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/pbx.info.eu/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/pbx.info.eu/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Here are the contents of /etc/letsencrypt/renewal/pbx.info.eu.conf

$ cat /etc/letsencrypt/renewal/pbx.info.eu.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/pbx.info.eu
cert = /etc/letsencrypt/live/pbx.info.eu/cert.pem
privkey = /etc/letsencrypt/live/pbx.info.eu/privkey.pem
chain = /etc/letsencrypt/live/pbx.info.eu/chain.pem
fullchain = /etc/letsencrypt/live/pbx.info.eu/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 
pref_challs = dns-01,
authenticator = manual
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

Answer 1

This configuration looks like you obtained this certificate first using DNS-01 challenge. Were you doing it by hand (Errm, what's the point, the Let's Encrypt is all about automation)?

Anyway, if you don't need features that are only available using DNS-01 challenge (e.g. wildcard certificates), you can revert to HTTP-01 challenge. To do that, remove all references to this certificate and request new certificate with the same name. This time, make sure you are using Nginx plugins, both "authenticator" and "installer". This is what suggested on the Let's Encrypt forum.

Or you can try to set the preferred challenge: certbot renew --preferred-challenges http --nginx [domain]. Do this once, it should record that into renewal file and then follow-up renewals will work with just "certbot renew". This looks exactly like your case.