Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: sudo certbot certonly -d $DOMAIN -d $WILDCARD --manual --preferred-challenges http
It produced this output: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
My web server is (include version): Apache 2.4.46
The operating system my web server runs on is (include version):Linux Debian 4.19.160-2 (2020-11-28)
My hosting provider, if applicable, is: AWS Lightsail
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, terminal
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0
I have this website and another running on Lightsail that are both due for renewal, thinkpeople.co.uk has already expired. Both are currently using DNS for authentication but I do not have direct access to their DNS and have to contact the client's IT people each time which is not ideal. I have read I can instead place a file in the server's root which would be more appropriate in this situation and so I want to change from using TXT records to this instead.
As per above I have tried what commands I have found but have had no success on either site. Any help is much appreciated. Thanks.
Use the http-01 challenge for a set of hostnames not containing a wildcard hostname.
See the Getting certificates (and choosing plugins) of the certbot documentation for choosing a plugin supporting the http-01 challeng, such as the apache plugin or, if you really don't want certbot temporarily modifying your Apache configuration, the webroot plugin.
So I used http before your reply, and it proceeded beyond where I was getting stuck before, asking me to create a file containing an alphanumerical string and place it in the .well-known\acme-challenge\ folder, which I believe I did successfully - I did visit the URL where the file should be visible and indeed it was, and the process accepted this as per below;
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/thinkpeople.co.uk-0001/fullchain.pem
Your key file has been saved at:
I then restarted the ctlscript.sh but still the site shows as insecure. Have I missed something?
I actually noticed that myself after sending. You're correct, the new cert seems to have appended 0001 to the end and created a separate cert, so now I have 2, one expired (non-0001) and one valid (0001).
Having run your suggested command, apparently I do not have that apache plugin installed?
bitnami@ip-172-26-14-44:~$ sudo certbot --apache -d $DOMAIN --keep
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested apache plugin does not appear to be installed
Ah, well, no.. Also, I see you're using bitnami, which is a rather strange odd-ball out there. I have absolutely zero, 0, nada experience with that and I'm hesitating to even guide you further with that. Bitnami feels more like a, well.., sort of minefield among software.. Chances of breaking something are rather large. It also has Apache installed in a non-standard place, so the certbot apache plugin wouldn't even know how to handle it.
You might try to use the webroot plugin. Check out the certbot documentation I linked above for how it works. You'd need to figure out the actual webroot path used by your bitnami Apache stack though, as it is probably just as non-standard as the rest of bitnami.