Can't renew manually issued certificate (DNS challenge)

My setup is:
certbot 0.40.0
nginx/1.18.0
Ubuntu 20.04.1 LTS

I can’t renew certificate after I successfully generated/validated it by running this command:
certbot -d *.mydomain.com --manual --preferred-challenges dns certonly

When I tried to renew it,…:
certbot renew --dry-run

…I got…:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

…, so I tried to re-install the certificate with:
certbot --nginx -d *.mydomain.com
(I tried both options)

Now after issuing…:
certbot renew --dry-run

…I get still the same error:
Client with the currently selected authenticator…

What should I do to fix it?

Thank you!

1 Like

Hi @Jiri-Mihal

use your original command. You can’t run --manual without a script that creates the required dns entries.

1 Like

Hi @JuergenAuer,

thank you for your help.

When I run…:
certbot -d *.mydomain.com --manual --preferred-challenges dns certonly
…or…:
certbot --nginx -d *.mydomain.com

…I can successfully (re)generate certificate. How can I auto-regenerate it? The commands above require some user inputs so they can’t be used in cron job.

1 Like

It’s strictly depends on your actual DNS providers.
If they provide a mechanism to automatically update records and you have a script that can be used to do so, you can specify it in the two hooks --manual-auth-hook --manual-cleanup-hook.
Once you specifly these hooks, you can use sudo certbot renew to automatcailly renew this certificate.

1 Like

By using something that is not --manual (or using it with the proper hooks)

It seems that once a certificate is issued with…

…It doesn’t help to re-create it with…

…to auto-renew it in the future. So the only solution could be to use hooks, which is a pain.

You can’t create a wildcard certificate with the --nginx authenticator. You need a dns authenticator.

1 Like

Are you sure? When I run it, I don’t see any problem.

$ certbot --nginx -d *.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mydomain.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

Which server blocks would you like to modify?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/nginx/sites-enabled/api.mydomain.com
Addresses: 443 ssl
Names: api.mydomain.com
HTTPS: Yes

2: File: /etc/nginx/sites-enabled/www.mydomain.com
Addresses: 443 default_server ssl
Names: www.mydomain.com
HTTPS: Yes

3: File: /etc/nginx/sites-enabled/www.mydomain.com
Addresses: 443 ssl
Names: mydomain.com
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/api.mydomain.com
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www.mydomain.com
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www.mydomain.com

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the --redirect and --no-redirect flags.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://*.mydomain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=*.mydomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.com/privkey.pem
   Your cert will expire on 2020-10-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Please read the basics and the FAQ.

Do you have some link to something specific or should I read complete basics and FAQs? Thank you.

Let’s Encrypt does not allow issuing wildcard certificate via HTTP/TLS validation.
It might be possible to do so because you are attempting to renew the certificate while previous challenges are still valid (the challenge has a lifespan for each succeed validation, so if you need to renew in a really short period like an hour or so, you don’t need any new validation)

@Jiri-Mihal: This is why you should use --dry-run when trying if something works. It’s more reproducible, as it invalidates previous challenges before running (on the test server, your production challenges are safe).

1 Like