Certbot 2.7.2 / error for CAA

# renew_before_expiry = 30 days
version = 2.7.4
archive_dir = /etc/letsencrypt/archive/miharu.dedyn.io
cert = /etc/letsencrypt/live/miharu.dedyn.io/cert.pem
privkey = /etc/letsencrypt/live/miharu.dedyn.io/privkey.pem
chain = /etc/letsencrypt/live/miharu.dedyn.io/chain.pem
fullchain = /etc/letsencrypt/live/miharu.dedyn.io/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = MYID
authenticator = dns-desec
server = https://acme-v02.api.letsencrypt.org/directory
rsa_key_size = 4096
dns_desec_credentials = /etc/letsencrypt/.secrets/miharu.dedyn.io.ini
key_type = rsa
reuse_key = True

hmm...

Try:
certbot certonly --cert-name miharu.dedyn.io --force-renewal

need a wildcard one, so using *.miharu.dedyn.io?

So, this is a new cert?

What shows?
certbot certificates

--force-renewal implies a renewal.
Which implies that there must already exist a cert.

Found the following certs:
  Certificate Name: miharu.dedyn.io
    Serial Number: 37e826f071bba4a918b9b636f4acba7e990
    Key Type: RSA
    Domains: *.miharu.dedyn.io miharu.dedyn.io
    Expiry Date: 2024-01-23 08:10:55+00:00 (VALID: 80 days)
    Certificate Path: /etc/letsencrypt/live/miharu.dedyn.io/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/miharu.dedyn.io/privkey.pem

certbot --dry-run certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Obtain certificates using a DNS TXT record (if you are using deSEC.io for
DNS). (dns-desec)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): c
authenticator could not be determined or is not installed
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

weired

That cert includes a wildcard entry.

certbot certonly --cert-name miharu.dedyn.io --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Obtain certificates using a DNS TXT record (if you are using deSEC.io for
DNS). (dns-desec)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel):

which number?

Use number: 1

never faced this kind of questions in the past

Renewing an existing certificate for *.miharu.dedyn.io and miharu.dedyn.io
Unable to change the --key-type of this certificate because --reuse-key is set. To stop reusing the private key, specify --no-reuse-key. To change the private key this one time and then reuse it in future, add --new-key.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

You probably didn't force a renewal

Try it with all this:

certbot certonly --cert-name miharu.dedyn.io \
--key-type rsa --rsa-key-size 4096 --force-renewal

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/miharu.dedyn.io/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/miharu.dedyn.io/privkey.pem
This certificate expires on 2024-02-01.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

so now what about the automation and the reuse stuff?

It should renew with just:
certbot renew

The

is something you must have set [previously].

If you dont need to reuse the same cert key [over and over], you can change that to "False".

Other than choosing "1", did you have to enter/choose anything else?

root@pihole[~] # certbot --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

broken

Please stop using force!

If you want to TEST, then TEST.
Doing a force renew is issuing a new cert - not testing if one can be issued.