When moving my existing (and ssl-protected) domains from a shared hoster to my own server (Debian 9 with Apache 2.4.25), I still had my domain (e.g. apps.tempel.org) pointed to the old server, while testing the new server by using a local “hosts” file point to the new server.
In order to get SSL certs for my domains on the new server, I could therefore not use the http-01 auth mode. So I used the “–manual” option instead with the “dns-01” mode. That all worked fine.
Now, however, after moving the public DNS records to the new server, I noticed that the automatic renewal via
certbot renew does not work because it complains:
Attempting to renew cert (apps.tempel.org) from /etc/letsencrypt/renewal/apps.tempel.org.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS… Skipping.
So I figured, instead of attempting to mess with extra plugin setups, I’d just convert my certs to use http-01 because that should work now.
However, I can’t manage to switch from dns to http. Here’s what I’d try:
certbot renew -a apache --dry-run
That worked. But without “–dry-run” (and with “–force-renewal”) I get the above error message.
Same when I try:
certbot --apache certonly -d apps.tempel.org
I suspect that the letsencrypt server still remembers that I’ve previously set up my cert using dns-01 and now refuses to switch over.
Googling the issue I found one post suggesting that the server would forget this after 3 months.
However, what’s the precise time on this? I cannot wait 3 months because then the cert would already have expired. So, hopefully, the time is shorter. But how much?
And does that mean that I’ll have to simply wait for that mode to expire and then I can issue
certbot renew -a apache and it’ll automatically re-issue my certs with http-01 without the above error message?
I’m just a bit worried that if I miss this in 2-3 months, I may end up with a non-functioning website suddenly because the current auto-renew won’t work with the dns challenge. I’d rather fix this sooner than later.
The version of my client is: certbot 0.28.0