Can't switch from dns-01 to http-01 challenge

When moving my existing (and ssl-protected) domains from a shared hoster to my own server (Debian 9 with Apache 2.4.25), I still had my domain (e.g. apps.tempel.org) pointed to the old server, while testing the new server by using a local "hosts" file point to the new server.

In order to get SSL certs for my domains on the new server, I could therefore not use the http-01 auth mode. So I used the "--manual" option instead with the "dns-01" mode. That all worked fine.

Now, however, after moving the public DNS records to the new server, I noticed that the automatic renewal via certbot renew does not work because it complains:

Attempting to renew cert (apps.tempel.org) from /etc/letsencrypt/renewal/apps.tempel.org.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping.

So I figured, instead of attempting to mess with extra plugin setups, I'd just convert my certs to use http-01 because that should work now.

However, I can't manage to switch from dns to http. Here's what I'd try:

certbot renew -a apache --dry-run

That worked. But without "--dry-run" (and with "--force-renewal") I get the above error message.

Same when I try:

certbot --apache certonly -d apps.tempel.org

I suspect that the letsencrypt server still remembers that I've previously set up my cert using dns-01 and now refuses to switch over.

Googling the issue I found one post suggesting that the server would forget this after 3 months.

However, what's the precise time on this? I cannot wait 3 months because then the cert would already have expired. So, hopefully, the time is shorter. But how much?

And does that mean that I'll have to simply wait for that mode to expire and then I can issue certbot renew -a apache and it'll automatically re-issue my certs with http-01 without the above error message?

I'm just a bit worried that if I miss this in 2-3 months, I may end up with a non-functioning website suddenly because the current auto-renew won't work with the dns challenge. I'd rather fix this sooner than later.

The version of my client is: certbot 0.28.0

Hi @tempelorg

first step: What says

certbot certificates

Then use the --cert-name to overwrite your existing certificate and the complete command.

certbot -d apps.tempel.org --cert-name "yourcertname" --preferred-challenges http -a apache -i apache

Hallo JĂĽrgen,

certbot certificates shows (there are more certs below that):

Found the following certs:
  Certificate Name: apps.tempel.org
    Domains: apps.tempel.org
    Expiry Date: 2020-12-11 15:42:45+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/apps.tempel.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/apps.tempel.org/privkey.pem

On the 2nd command, I guess should choose “Renew & replace”, not “Attempt to reinstall…”, right?

Yes. Normally, you shouldn't create certificates daily, but one time it's ok to see, if the certificate is created with the -a apache.

Same issue:

certbot -d apps.tempel.org --cert-name "apps.tempel.org" --preferred-challenges http -a apache -i apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/apps.tempel.org.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

Curious. Is that Certbot version buggy?

0.28 is old, check, if there is an update.

Or share / edit your config file.

According to this I have the latest version:

# apt-get upgrade certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
certbot is already the newest version (0.28.0-1~deb9u2).

Which config file do you mean?

If I remember correctly, this is indeed a bug in that older version.

So, why does apt tell me I have the latest version, then? Do I need to build from source? The letsencrypt docs suggest that for Debian, apt-get is the way to go.

update apt repository info first:
apt-get update
then
apt-get install certbot
or
apt-get upgrade certbot

I did that already. Are you saying that when you try this on a debian system, you’ll get something newer?

Which version?

[you might have to switch to certbot-auto]

All here:

root@digitalocean1:~# apt-get update
Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://mirrors.digitalocean.com/debian stretch InRelease                                                         
Hit:3 https://packages.sury.org/php stretch InRelease                                                                  
Get:4 http://mirrors.digitalocean.com/debian stretch-updates InRelease [93.6 kB]                                       
Ign:5 http://download.webmin.com/download/repository sarge InRelease                                                   
Hit:6 http://mirrors.digitalocean.com/debian stretch Release             
Hit:7 http://apt.postgresql.org/pub/repos/apt stretch-pgdg InRelease     
Hit:8 http://download.webmin.com/download/repository sarge Release       
Fetched 93.6 kB in 0s (181 kB/s)                   
Reading package lists... Done
root@digitalocean1:~# apt-get upgrade certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
certbot is already the newest version (0.28.0-1~deb9u2).
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@digitalocean1:~# uname -a
Linux digitalocean1.tempel.org 4.9.0-13-amd64 #1 SMP Debian 4.9.228-1 (2020-07-05) x86_64 GNU/Linux

OK that settles it.
There is no newer version for you.

I would try using certbot-auto
[you don’t have to remove certbot, nor should you have to take any special steps/precautions]
[other than, once you do switch to certbot-auto (if that works), you should NOT go back and forth - pick one]

1 Like

And also (but I’m not too familiar with it) there is a snaps install for certbot as well.
[which may provide a newer version for you]

See: https://snapcraft.io/certbot
[deb 9 is supported]

Alright. Got certbot-auto installed.

Now one more question, if I may:

When I made the certs via dns-01, I had not realized that I could get one for all domains. Now I have four separate ones. I’d like to merge them all into one. Can I use the command JuergenAuer suggested in order to update one of the four with all four domains, and then remove the other three?

I don’t see the command he suggested.
But, yes, you can get a cert with multiple names on it simply by including multiple names on the same request.
Example (abbreviated):
certbot -d domain.one = 1 cert
certbot -d domain.two = another cert
certbot -d domain.one -d domain.two = 1 cert [with both names on it]

then you can review the certs you have and the names that each one covers with:
certbot certificates
From that list you can update the cert files used (and restart your web server)
Then you can delete any certs that are no longer used/needed.

1 Like

As for my second suggestion: install certbot via snaps
That is a little bit more tricky as they would both have the same name:

  • old certbot 0.28.0 = “certbot” (/usr/bin/certbot ?)
  • new snaps certbot 1.8.0 = “certbot” (/snap/bin/certbot)

So if you do decide to try that out, I would recommend removing the old certbot first.

#I wrote that for everyone else who may read this - don’t feel so special - LOL#

Alright. Thanks for both your efforts and quick help. I have it all working nicely now again.

And if you want a free license of one of my apps (in case you’re using a Mac), feel free to contact me :wink:

1 Like

I’m glad to here that all is working. :slight_smile:

But don’t forget to:

  • update the renewal job to use certbot-auto (instead of certbot)
    [this may require looking at cron jobs and systemd timers - choose only one (if both exist)]
  • remove certbot (if no longer needed - can’t see why you would need it)
1 Like