I got the first wildcard cert manually by editing the zone file with the challenge TXT's sent as certbot waited using certonly and not the dns rfc2136 authenticator - so my guess is it won't work and will fail because it is a manual mode without shell or hook scripts as shown in the conf file excerpt below
Now that I have the rfc2136 authenticator working the command I got it working with was / is
certbot certonly --dry-run --dns-rfc2136 --dns-rfc2136-credentials /path to/credentials.ini -d "*.xxxxxxx.com" -d xxxxxxx.com --server https://acme-v02.api.letsencrypt.org/directory
so I can remove the --dry-run option switch and it will work
The xxxxxxx.com /etc/letsencrypt/renewal/xxxxxxx.com.conf file looks like this
Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxx
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual
installer = apache
pref_challs = dns-01,
So how do I put those command line switches in to edit those parameters ??
I have read How to regenerate renewal config file? and Check renew configuration
So I no longer need the installer and manual is now dns-rfc2136
The links above do not show an answer and in fact there is an issue to provide a command line feature to modify the conf file but no solution I have found
I tried running a --force-renewal instead of the --dry-run command switch but it started the manual process again so I cancelled it
So . . . will this work below ??
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxx
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = dns-rfc2136 --dns-rfc2136-credentials /path to/credentials.ini
pref_challs = dns-01,
Or how is is edited to now use the rfc2136 authenticator with the path to credential switch and wildcard option if needed