Certbot renew with multiple authenticator methods


#1

Hello,

I started creating multiple certificates with certbot-auto (lastest version) using webroot authenticator. Creation and renewal works fine.

A few weeks ago, we also started to create wildcard certificates using route53 DNS plugin. This also works fine.

All is automated through scripts using a specific certbot.ini file for each challenge (one for webroot certs and one for dns certs)

But now comes the time to renew these wildcard certificates and with our standard renew script, we get the following error :

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to   use an authenticator plugin that can do challenges over DNS.

This is normal as renew is configured to use webroot and wildcards need Route53 dns challenge.

If I create a new renew script using the correct ini file (as I do when creating certs), it works.
The problem is that these scripts logically generates errors for certs not using the specified challenge.

Is there any way to tell certbot which challenge to use for each domain in a single script ?

Thank you for your help,

Fred


#2

When Certbot issues a certificate, it saves all of the settings in /etc/letsencrypt/renewal/ (or whatever directory you use).

If you later run “certbot renew”, it will do everything correctly.

Can you explain what commands you’re using to create certificates and to renew them?

If you’re trying to renew them with “certbot renew”, try doing it without passing any -c or --config options, or just using a shorter config file that doesn’t force specific plugins or preferred challenges.

Edit: Are you using --csr?


#3

Thank you very much, Matt

I didn’t know that renew was using the authenticator stored in renewal folder.
So my certbot.ini (used to generate and renew certs) was configured with webroot, also for renew.

I justed removed this parameter from the config file and add it directly to the command line for certonly .

No, a single renew script works like a charm with both webroot and route53 challenge :slight_smile:

Fred


#4

By the way, is there any way to mark this post as solved ?

It seems that I cannont edit my original message.

Fred


#5

Sounds great! :smile:

There should be a checkbox icon next to the “Reply” button at the bottom of each post. You might have to click “…” to see it.


#6

I didn’t see it was on a reply and not on the post itself :blush:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.