Certifiate failing renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: onthe1.app ( two sites drums.onthe1.app and buraco.onthe1.app, single wildcard cert.

I ran this command:

root@ubuntu-4gb-hel1-1:/home/cromestant# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Found the following certs:
Certificate Name: onthe1.app
Serial Number: 6f473d1ed12dd6c22eaea1daf6b508a99a6
Key Type: ECDSA
Domains: *.onthe1.app onthe1.app
Expiry Date: 2026-05-15 21:32:39+00:00 (VALID: 3 hour(s))
Certificate Path: /etc/letsencrypt/live/onthe1.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/onthe1.app/privkey.pem

---

root@ubuntu-4gb-hel1-1:/home/cromestant# certbot renew --dry-run --nginx --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Processing /etc/letsencrypt/renewal/onthe1.app.conf

---

Simulating renewal of an existing certificate for *.onthe1.app and onthe1.app
Failed to renew certificate onthe1.app with error: None of the preferred challenges are supported by the selected plugin

---

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/onthe1.app/fullchain.pem (failure)

---

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@ubuntu-4gb-hel1-1:/home/cromestant# certbot renew --dry-run --nginx --preferred-challenges dns -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Processing /etc/letsencrypt/renewal/onthe1.app.conf

---

Cannot extract OCSP URI from /etc/letsencrypt/archive/onthe1.app/cert1.pem
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for *.onthe1.app and onthe1.app
Performing the following challenges:
Failed to renew certificate onthe1.app with error: None of the preferred challenges are supported by the selected plugin

---

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/onthe1.app/fullchain.pem (failure)

---

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.24.0 (Ubuntu)

The operating system my web server runs on is (include version):
Linux ubuntu-4gb-hel1-1 6.8.0-117-generic #117-Ubuntu SMP PREEMPT_DYNAMIC Tue May 5 19:26:24 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:
hertzner
I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

What happens if you do:

certbot renew --dry-run

It will use the same options you used when you got the original cert. You are trying to override that with --nginx which only supports an HTTP Challenge. A wildcard cert requires a DNS Challenge.

thanks for your response:
here it is:

root@ubuntu-4gb-hel1-1:/home/cromestant# certbot renew --dry-run -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/onthe1.app.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cannot extract OCSP URI from /etc/letsencrypt/archive/onthe1.app/cert1.pem
Certificate is due for renewal, auto-renewing...
Failed to renew certificate onthe1.app with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/onthe1.app/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Maybe let's start over a bit:

1. Why are you trying to get a wildcard cert? It requires using the DNS challenge, which many people find harder to automate.
2. That error makes it look like you initially got your certificate manually, and are now trying to renew it automatically. Is that the case?

If you say more about what you're exactly trying to accomplish and why, and how you got to this point, it may be easier for people to help you.

Hi, thanks for the patience.
I'm trying to get a wildcard cert to avoid having multiples to manage, since I only have one domain, a wildcard is a good option.
when I first got the cert, I tried the automatic way and had some issues, so I guess I might have gone through a manual process?
I have no problem restarting from 0 to get the automatic way, but ideally on the wildcard cert?

Well, depending on how many "multiples" is, it may not be any harder than the rest of the nginx configuration for those sites, unless you also have a wildcard DNS entry. You might find it easier to just use nginx's built-in support for requesting and using certificates rather than needing to use certbot at all.

In order to get a wildcard, you'll need to have some way to have your system automatically update your DNS zones. It looks like you might be using "porkbun" for your authoritative DNS; you would need to install a plugin for certbot that knows how to update that. (There's also DNS-PERSIST-01, "Coming Soon", which would let you make a one-time update to your DNS instead of an update for every certificate, though that may not help you in the short term.)

ok, so it seems the DNS entry is no longer valid?
I don;t mind maintaining 2 certs, if it becomes a problem later I can revisit. I'm in a meeting now but will take a look at the provided link as soon as I can to fix.
will report back

You might want to look at the Challenge Types documentation page. The only DNS-based one currently available, DNS-01, requires a new token each time, yes, and there isn't any benefit to leaving it in your DNS after the certificate is issued.

thanks for the help, I ended up migrating to two new certificates using the certbot nginx option.

root@ubuntu-4gb-hel1-1:/home/cromestant# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: buraco.onthe1.app
2: drums.onthe1.app

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Requesting a certificate for buraco.onthe1.app and drums.onthe1.app

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/buraco.onthe1.app/fullchain.pem
Key is saved at: /etc/letsencrypt/live/buraco.onthe1.app/privkey.pem
This certificate expires on 2026-08-13.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for buraco.onthe1.app to /etc/nginx/sites-enabled/buraco.onthe1.app
Successfully deployed certificate for drums.onthe1.app to /etc/nginx/sites-enabled/drums.onthe1.app
Congratulations! You have successfully enabled HTTPS on https://buraco.onthe1.app and https://drums.onthe1.app

If you like Certbot, please consider supporting our work by:

• Donating to ISRG / Let's Encrypt: Support Encryption for Everyone - Let's Encrypt
• Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

root@ubuntu-4gb-hel1-1:/home/cromestant# service nginx restart

Although it worked perfectly, I'm not sure how this certbot ascertained I controlled the domain... it would be great to understand that.

thanks in advance

If you haven't yet you should delete this certificate. Otherwise the regular renew will look like it is failing. Do:

certbot delete --cert-name onthe1.app

If you run certbot certificates before-hand you'll see you now have two certs. The new one got a different --cert-name. And, I just confirmed you are using the new one so you are safe to delete the old one.

The --nginx option uses an HTTP Challenge which is described in that link Peter provided earlier about challenge types.

Although, the --nginx option doesn't actually write a file anywhere on your server.

Instead, it makes a temp change to your nginx config to handle the challenge. It does this, mostly, by adding a "return" statement with the required challenge response.

Certbot is not the one that proves you control that domain. That is the job of the ACME Server - Let's Encrypt. Again, see the Challenge Types link Peter provided.

All ACME Clients and ACME Servers do an HTTP Challenge with the same set of API calls. This allows you to use any client and server you choose.

awesome, thanks!
deleted the old cert.