My setup is:
certbot 0.40.0
nginx/1.18.0
Ubuntu 20.04.1 LTS
I can’t renew certificate after I successfully generated/validated it by running this command: certbot -d *.mydomain.com --manual --preferred-challenges dns certonly
When I tried to renew it,…: certbot renew --dry-run
…I got…:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
…, so I tried to re-install the certificate with: certbot --nginx -d *.mydomain.com
(I tried both options)
Now after issuing…: certbot renew --dry-run
…I get still the same error:
Client with the currently selected authenticator…
When I run…: certbot -d *.mydomain.com --manual --preferred-challenges dns certonly
…or…: certbot --nginx -d *.mydomain.com
…I can successfully (re)generate certificate. How can I auto-regenerate it? The commands above require some user inputs so they can’t be used in cron job.
It’s strictly depends on your actual DNS providers.
If they provide a mechanism to automatically update records and you have a script that can be used to do so, you can specify it in the two hooks --manual-auth-hook--manual-cleanup-hook.
Once you specifly these hooks, you can use sudo certbot renew to automatcailly renew this certificate.
Are you sure? When I run it, I don’t see any problem.
$ certbot --nginx -d *.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mydomain.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Which server blocks would you like to modify?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/nginx/sites-enabled/api.mydomain.com
Addresses: 443 ssl
Names: api.mydomain.com
HTTPS: Yes
2: File: /etc/nginx/sites-enabled/www.mydomain.com
Addresses: 443 default_server ssl
Names: www.mydomain.com
HTTPS: Yes
3: File: /etc/nginx/sites-enabled/www.mydomain.com
Addresses: 443 ssl
Names: mydomain.com
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/api.mydomain.com
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www.mydomain.com
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www.mydomain.com
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the --redirect and --no-redirect flags.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains: https://*.mydomain.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=*.mydomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.com/privkey.pem
Your cert will expire on 2020-10-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Let’s Encrypt does not allow issuing wildcard certificate via HTTP/TLS validation.
It might be possible to do so because you are attempting to renew the certificate while previous challenges are still valid (the challenge has a lifespan for each succeed validation, so if you need to renew in a really short period like an hour or so, you don’t need any new validation)
@Jiri-Mihal: This is why you should use --dry-run when trying if something works. It's more reproducible, as it invalidates previous challenges before running (on the test server, your production challenges are safe).
For everyone who is looking for a simple solution on how to solve the issue with the renewal of manually issued wildcard certificates
There is no simple way how to automatically renew wildcard certificates - you have to use hooks. So if you can, create a new certificate for every sub-domain with a pre-defined authenticator = much easier.
Create a new certificate with pre-defined authenticator e.g.: certbot --nginx -d www.mydomain.com
Delete the original wildcard certificate: certbot delete
