Bug: Renewing multiple certificates w/ Certbot: Work-around

I think this is really a bug in Certbot (Linux snap version), but I'm reporting this here because I have a work-around that users may find useful:

In 2021, I created a multi-domain certificate using dns-rfc2136 renewals. That created a "renewal/example.com.conf" file with the following lines:

authenticator = dns-rfc2136
dns_rfc2136_propagation_seconds = 300
dns_rfc2136_credentials = /etc/letsencrypt/credentials/ddns-rfc2136.ini

The above has worked for four years. Early this year, I created another certificate using dns-cloudflare renewals. That created a "renewal/addon.com.conf" file with the following lines:

authenticator = dns-cloudflare
dns_cloudflare_propagation_seconds = 10
dns_cloudflare_credentials = /etc/letsencrypt/credentials/cloudflare.ini

That worked. Until the renewal for both certificates came due last Sunday. Note that "addon.com.conf" appears before "example.com.conf" in the "renewal/" directory, so the certificates were processed in alphabetical order (I don't know if that is pertinent). "addon.com.conf" renewed properly, but Certbot complained:

"Missing command line flag or config entry for this setting:
Input the path to your RFC 2136 credentials INI file"

Even though it had been able to find it in "renewal/example.com.conf" for four years. So, I copied the "dns_rfc2136_credentials" line to the "cli.ini" file & that fixed that.

Then, the renewal for "example.com.conf" failed with a bunch of "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.domain.com" messages, even though "dig" clearly showed that the pertinent lines were in the DNS during the process.

Then I noticed the processing message "Waiting 60 seconds for DNS changes to propagate". I copied the "dns_rfc2136_propagation_seconds = 300" line from "renewal/example.com.conf" to "cli.ini" & that fixed that.

Apparently Certbot is not processing the configuration files for multiple certificates correctly. I suspect that if "addon.com.conf" has sorted after "example.com.conf", I would have had to copy its pertinent configuration options to "cli.ini" as well.

You have been warned!

Correction: The files in the "renewal/" directory end with ".conf". That was inadvertently omitted in my post above.

I corrected those.

Certbot very often has multiple conf files to renew. If this is a bug I doubt that it affects everyone with multiple certificates. There is almost certainly something unusual about your config. Perhaps that you use two different DNS plugins is a part of that. That isn't as common.

Generally, adding options to the cli.ini isn't best unless you really need those settings to be used for all of your certificates. I mention this only to highlight to future readers to be careful about trying that for what they think is a similar problem.

Another work-around, perhaps less elegant, is to setup a new cronjob or timer that renews each cert separately like:

sudo certbot renew --cert-name example.com
sudo certbot renew --cert-name example2.com

It would be helpful for you to post this problem at the EFF's github for Certbot. That will better draw the attention of their developers. See: GitHub · Where software is built

Using cli.ini can lead to problems if the same variable needs to differ across certificates.

Please open an issue on the Certbot Github repo (GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.) if you're able.

Oh FFS Mike, ninja-post

Thanks! Issue opened on GitHub.