Certbot ALWAYS fail on update

My domain is:
*.zone.co.za *.zonemail.co.za

I ran this command:
certbot certonly -d *.zone.co.za -d *.zonemail.co.za --force-renewal --standalone --pre-hook "systemctl stop apache-tomcat" --post-hook "systemctl start apache-tomcat" --renew-hook "/root/update-tomcat-cert.sh"

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.zone.co.za *.zonemail.co.za
Running pre-hook command: systemctl stop apache-tomcat
Renewing an existing certificate for *.zone.co.za and *.zonemail.co.za
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Running post-hook command: systemctl start apache-tomcat
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

My web server is (include version):
apache2_2.4.29-1ubuntu4.10_amd64.deb
Apache Tomcat/9.0.24

The operating system my web server runs on is (include version):
11.0.10+9-Ubuntu-0ubuntu1.20.04

My hosting provider, if applicable, is:
Linode/selfmanaged

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.13.0

DNS entries:
_acme-challenge.zone.co.za. TXT "thwpxlV-HXtOkRrdn1rWnq5Q8UNnSEOvgPqXNnJ9xkU"
_acme-challenge.zonemail.co.za. TXT "xMMJE8hTgAvhY9ElBZFULtq49g1Bxy5yAUg3Xx44jeU"
_acme-challenge.zonemail.co.za. TXT "Cy4xsvOs5R-cTAGqxupgQmA6qmGEYcHELo2MaY3tnrk"

1 Like

Hello. :slightly_smiling_face:

Wildcard certificates always require using an authenticator that supports the dns-01 challenge, which the standalone authenticator does not. The _acme-challenge DNS TXT records are only used once for authenticating domain control and can therefore be removed after a certificate is issued because they will never be used again.

Please try the following command instead (which requires manual creation and removal of the _acme-challenge DNS TXT records):

sudo certbot certonly --manual --preferred-challenges dns -d "zone.co.za,*.zone.co.za,zonemail.co.za,*.zonemail.co.za" --deploy-hook "/root/update-tomcat-cert.sh"

PS - Please be sure to give the DNS TXT records enough time to propagate after creating them so that the Let's Encrypt servers can successfully retrieve them to verify domain control. You can use dig to check for the existence of the DNS TXT records.

2 Likes

Thanx a lot! It solved the issue!
I was getting frustrated because every 89 days I have trouble updating them!

2 Likes
  1. If manually updating things, you might want to leave yourself a margin of error in case you run into trouble. Rather than updating ever 89 days, you might want to update every 60 or so. (Some people do something like put a reminder on their calendar for the first Wednesday of every other month and things like that.)
  2. The actual point of certbot is to completely automate everything, and usually that's a better approach than needing to run commands manually every couple months. Depending on your DNS provider there may be a plugin for certbot that lets it update the DNS records for you, or there are tools like acme-dns where you can delegate the challenge record to this software that certbot can then hook into to respond that you do own the domain.
3 Likes

Thank you, I will check this out

2 Likes