Convert manual to Webroot renewal

Help
1

I have installed a Let's Encrypt certificate for my site previously with Manual method. But now I was expecting it to auto renew using cronjob but I'm getting this error

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (xxx.com) from /etc/letsencrypt/renewal/xxx.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.

My guess would be because it's set to manual and can't renew it and needed an interaction via DNS. When I checked my let's encrypt file below is what is listed in my /etc/letsencrypt/renewal/xxx.com.conf

# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/xxx.com
cert = /etc/letsencrypt/live/xxx.com/cert.pem
privkey = /etc/letsencrypt/live/xxx.com/privkey.pem
chain = /etc/letsencrypt/live/xxx.com/chain.pem
fullchain = /etc/letsencrypt/live/xxx.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
server = https://acme-v02.api.letsencrypt.org/directory
pref_challs = dns-01,
installer = None
account = xxxxxxxxx
manual_public_ip_logging_ok = True
authenticator = manual

So when trying to run certbot renew i'm getting that error. Is there a way to renew this without changing the TXT Value in the DNS? I would like to renew it automatically using cron but since my config is in manual I can't do that.

Is there a way to fix this? Honestly this is my first time and I have no idea on what to do with this issue. Correct me if I'm wrong but I read that using webroot will fix my issue and I don't have to add a TXT value in my DNS. I'm using an NGINX webserver and below is my NGINX configuration

server {
listen 80;
server_name *.xxx.com xxx.com;

return 301 https://$host$request_uri;

}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
ssl_prefer_server_ciphers on;

server_name *.xxx.com xxx.com;
root /var/www/xxx/public;

index index.html index.htm index.php;

charset utf-8;

location / {
    try_files $uri $uri/ /index.php$is_args$args;
}

client_max_body_size 100m;

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_intercept_errors off;
    fastcgi_buffer_size 16k;
    fastcgi_buffers 4 16k;
}

location ~ /\.ht {
    deny all;
}

}

How do I modify this to allow webroot? and how do I allow certbot to access .well-known/acme-challenge? I'm not sure how to modify my nginx config to read content in /var/www/xxx/.well-known/acme-challenge

Sorry for the long post. To sum it all up here is what I need help with

  1. Convert manual to webroot method for renewing
  2. Modify my nginx configuration to read in .well-known/acme-challenge folder
  3. Enable auto renewal

Hope you can help me with this as the certificate is near expiry this month

2

Hi,

Please try this command…

sudo certbot renew -a webroot

Thank you

3

Tried this and I'm getting the below error

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (xxx.com) from /etc/letsencrypt/renewal/xxx.com.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xxx.com/fullchain.pem (failure)

4

As the error message suggests, --manual does not permit noninteractive renewal with certbot renew because it requires human intervention to complete the renewal. (In the DNS case, the DNS token that you have to place in the TXT record is different every time, so the existence of the old one won’t permit the renewal.)

You could edit your /etc/letsencrypt/renewal/xxx.com.conf so that the [renewalparams] section looks like this:

[renewalparams]
server = https://acme-v02.api.letsencrypt.org/directory
installer = None
account = xxxxxxxxx
authenticator = webroot
webroot_path = /var/www/xxx/public

and then try running certbot renew again.

5

Hi @schoen tried your suggestion but I'm getting this error

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxx.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (xxx.com) from /etc/letsencrypt/renewal/xxx.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xxx.com/fullchain.pem (failure)

I'm guessing this is because I don't have the .well-known/acme-challenge on my webroot? Btw my webroot location is in /var/www this have multiple site one of this is the xxx which is written in laravel so the accesible public folder is under public

6

No, Certbot will create that for you!

Is it possible that you forgot to delete the preferred_challenges line in [renewalparams]?

7

No I modified it as you suggested. Below is the config

renew_before_expiry = 30 days

version = 0.22.2
archive_dir = /etc/letsencrypt/archive/xxx.com
cert = /etc/letsencrypt/live/xxx.com/cert.pem
privkey = /etc/letsencrypt/live/xxx.com/privkey.pem
chain = /etc/letsencrypt/live/xxx.com/chain.pem
fullchain = /etc/letsencrypt/live/xxx.com/fullchain.pem

Options used in the renewal process

[renewalparams]
server = https://acme-v02.api.letsencrypt.org/directory
installer = None
account = xxxxxxxx
authenticator = webroot
webroot_path = /var/www/xxx/public

Is there anything you need me to post to help debug this issue? I would really love to go with webroot over DNS since it's taking to long for the DNS to propagate when changing the TXT Value

Also forgot to mention that the TXT Value in the DNS is already change previously when we tried to renew it but failed to renew. So we were not able to change the TXT Value again since we are looking for a different fix other than changing the TXT Value

8

@bmw, how can this happen? Shouldn't http-01 always be permitted, and always be supported by webroot?

9

Could you post the most recent log file from /var/log/letsencrypt?

10

2018-07-17 16:59:36,448:DEBUG:certbot.main:certbot version: 0.22.2
2018-07-17 16:59:36,448:DEBUG:certbot.main:Arguments: ['-a', 'webroot', '--dry-run']
2018-07-17 16:59:36,449:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-07-17 16:59:36,456:DEBUG:certbot.log:Root logging level set at 20
2018-07-17 16:59:36,457:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-07-17 16:59:36,464:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer <certbot.cli._Default object at 0x7f1ac1fa99e8>
2018-07-17 16:59:36,464:DEBUG:certbot.cli:Var dry_run=True (set by user).
2018-07-17 16:59:36,464:DEBUG:certbot.cli:Var server={'dry_run', 'staging'} (set by user).
2018-07-17 16:59:36,464:DEBUG:certbot.cli:Var dry_run=True (set by user).
2018-07-17 16:59:36,464:DEBUG:certbot.cli:Var server={'dry_run', 'staging'} (set by user).
2018-07-17 16:59:36,464:DEBUG:certbot.cli:Var account={'server'} (set by user).
2018-07-17 16:59:36,464:DEBUG:certbot.cli:Var authenticator=webroot (set by user).
2018-07-17 16:59:36,464:DEBUG:certbot.renewal:Ancient renewal conf file without webroot-map, restoring webroot-path
2018-07-17 16:59:36,473:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2018-07-30 12:07:19 UTC.
2018-07-17 16:59:36,473:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2018-07-17 16:59:36,474:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-07-17 16:59:36,474:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f1ac1f86da0>
Prep: True
2018-07-17 16:59:36,474:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f1ac1f86da0> and installer None
2018-07-17 16:59:36,474:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2018-07-17 16:59:36,506:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at xxxxxxxxx>)>), status='valid', terms_of_service_agreed=None, contact=(), agreement=None), new_authzr_uri=None, uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/xxxxxxxxx', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), xxxxxxxxx, Meta(creation_dt=datetime.datetime(2018, 7, 10, 16, 53, 22, tzinfo=), creation_host='ip-172-31-14-16.us-west-2.compute.internal'))>
2018-07-17 16:59:36,507:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2018-07-17 16:59:36,510:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
2018-07-17 16:59:36,729:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 724
2018-07-17 16:59:36,730:DEBUG:acme.client:Received response:
HTTP 200
Pragma: no-cache
Date: Tue, 17 Jul 2018 16:59:36 GMT
Content-Type: application/json
Content-Length: 724
X-Frame-Options: DENY
Connection: keep-alive
Server: nginx
Expires: Tue, 17 Jul 2018 16:59:36 GMT
Strict-Transport-Security: max-age=604800
Cache-Control: max-age=0, no-cache, no-store

b'{\n "hOLKjP60wok": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/xxxxxxxxx",\n "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",\n "meta": {\n "caaIdentities": [\n "letsencrypt.org"\n ],\n "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",\n "website": "Staging Environment - Let's Encrypt"\n },\n "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",\n "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",\n "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",\n "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"\n}'
2018-07-17 16:59:36,730:INFO:certbot.main:Renewing an existing certificate
2018-07-17 16:59:36,761:DEBUG:acme.client:Requesting fresh nonce
2018-07-17 16:59:36,761:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order.
2018-07-17 16:59:36,841:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-order HTTP/1.1" 405 0
2018-07-17 16:59:36,842:DEBUG:acme.client:Received response:
HTTP 405
Pragma: no-cache
Date: Tue, 17 Jul 2018 16:59:36 GMT
Content-Type: application/problem+json
Replay-Nonce: xxxxxxxxx
Allow: POST
Connection: keep-alive
Cache-Control: max-age=0, no-cache, no-store
Server: nginx
Expires: Tue, 17 Jul 2018 16:59:36 GMT
Content-Length: 103

b''
2018-07-17 16:59:36,842:DEBUG:acme.client:Storing nonce: xxxxxxxxx
2018-07-17 16:59:36,843:DEBUG:acme.client:JWS payload:
b'{\n "resource": "new-order",\n "identifiers": [\n {\n "type": "dns",\n "value": "*.xxx.com"\n },\n {\n "type": "dns",\n "value": "xxx.com"\n }\n ],\n "status": "pending"\n}'
2018-07-17 16:59:36,845:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "xxxxxxxxx",
"payload": "xxxxxxxxx",
"signature": "xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-KjAT5C2c1tW-xxxxxxxxx-xxxxxxxxx"
}

11

2018-07-17 16:59:37,010:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-order HTTP/1.1" 201 541
2018-07-17 16:59:37,010:DEBUG:acme.client:Received response:
HTTP 201
Date: Tue, 17 Jul 2018 16:59:37 GMT
Boulder-Requester: 6431708
Connection: keep-alive
Cache-Control: max-age=0, no-cache, no-store
Server: nginx
Expires: Tue, 17 Jul 2018 16:59:37 GMT
Strict-Transport-Security: max-age=604800
Pragma: no-cache
Content-Type: application/json
Replay-Nonce: xxxxxxxxx
X-Frame-Options: DENY
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/xxxxxxxxx/xxxxxxxxx
Content-Length: 541

b'{\n "status": "pending",\n "expires": "2018-07-24T16:57:04Z",\n "identifiers": [\n {\n "type": "dns",\n "value": "*.xxx.com"\n },\n {\n "type": "dns",\n "value": "xxx.com"\n }\n ],\n "authorizations": [\n "https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxxxxxxxx",\n "https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxxxxxxxx-xxxxxxxxx"\n ],\n "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/xxxxxxxxx/xxxxxxxxx"\n}'
2018-07-17 16:59:37,010:DEBUG:acme.client:Storing nonce: xxxxxxxxx-xxxxxxxxx-xxxxxxxxx
2018-07-17 16:59:37,011:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxxxxxxxx.
2018-07-17 16:59:37,144:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/xxxxxxxxx HTTP/1.1" 200 922
2018-07-17 16:59:37,145:DEBUG:acme.client:Received response:
HTTP 200
Pragma: no-cache
Date: Tue, 17 Jul 2018 16:59:37 GMT
Content-Type: application/json
Content-Length: 922
X-Frame-Options: DENY
Connection: keep-alive
Server: nginx
Expires: Tue, 17 Jul 2018 16:59:37 GMT
Strict-Transport-Security: max-age=604800
Cache-Control: max-age=0, no-cache, no-store

b'{\n "identifier": {\n "type": "dns",\n "value": "xxx.com"\n },\n "status": "pending",\n "expires": "2018-07-24T16:57:04Z",\n "challenges": [\n {\n "type": "http-01",\n "status": "pending",\n "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxxxxxx/xxxxxxxxx",\n "token": "xxxxxxxxx-xxxxxxxxx"\n },\n {\n "type": "dns-01",\n "status": "pending",\n "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxxxxxx/xxxxxxxxx",\n "token": "xxxxxxxxx"\n },\n {\n "type": "tls-alpn-01",\n "status": "pending",\n "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxxxxxx/xxxxxxxxx",\n "token": "xxxxxxxxx"\n }\n ]\n}'
2018-07-17 16:59:37,145:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {'token': 'xxxxxxxxx', 'type': 'tls-alpn-01', 'status': 'pending', 'url': 'https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxxxxxx/xxxxxxxxx'}
2018-07-17 16:59:37,145:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxxxxxxxx-xxxxxxxxx.
2018-07-17 16:59:37,286:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/xxxxxxxxx-xxxxxxxxx HTTP/1.1" 200 426
2018-07-17 16:59:37,287:DEBUG:acme.client:Received response:
HTTP 200
Pragma: no-cache
Date: Tue, 17 Jul 2018 16:59:37 GMT
Content-Type: application/json
Content-Length: 426
X-Frame-Options: DENY
Connection: keep-alive
Server: nginx
Expires: Tue, 17 Jul 2018 16:59:37 GMT
Strict-Transport-Security: max-age=604800
Cache-Control: max-age=0, no-cache, no-store

b'{\n "identifier": {\n "type": "dns",\n "value": "xxx.com"\n },\n "status": "pending",\n "expires": "2018-07-24T16:57:04Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxxxxxx-xxxxxxxxx/xxxxxxxxx",\n "token": "xxxxxxxxx-xxxxxxxxx"\n }\n ],\n "wildcard": true\n}'
2018-07-17 16:59:37,287:INFO:certbot.auth_handler:Performing the following challenges:
2018-07-17 16:59:37,288:INFO:certbot.auth_handler:http-01 challenge for xxx.com
2018-07-17 16:59:37,288:CRITICAL:certbot.auth_handler:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
2018-07-17 16:59:37,288:WARNING:certbot.renewal:Attempting to renew cert (xxx.com) from /etc/letsencrypt/renewal/xxx.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping.
2018-07-17 16:59:37,289:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 422, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1102, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 113, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 297, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 330, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 66, in handle_authorizations
self._choose_challenges(aauthzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 107, in _choose_challenges
combinations)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 402, in gen_challenge_path
return _find_smart_path(challbs, preferences, combinations)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 439, in _find_smart_path
_report_no_chall_path(challbs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 478, in _report_no_chall_path
raise errors.AuthorizationError(msg)
certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

2018-07-17 16:59:37,290:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-07-17 16:59:37,290:ERROR:certbot.renewal: /etc/letsencrypt/live/xxx.com/fullchain.pem (failure)
2018-07-17 16:59:37,291:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.22.2', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1266, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1179, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

12

Sorry had to reply in parts since I’m not allowed to post more than 20 links (new user)

13

Hi,

Please try this …

sudo certbot renew -a webroot --preferred-challenge http

Apologize since I was having my lunch…

Thank you

14

No worries really appreciate your help here

15

Same error message
Command I ran was

sudo certbot renew -a webroot --preferred-challenge http --dry-run

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxx.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (xxx.com) from /etc/letsencrypt/renewal/xxx.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xxx.com/fullchain.pem (failure)

16

I think the problem is that one of the domains is a wildcard.

@ramzdam, could please confirm whether one of the domains you are trying to renew is a wildcard certificate?. If the answer is yes, then you can't use the http-01 challenge, you should use the dns-01 challenge. If your dns provider doesn't support an API to perform the modifications programatically or there is no plugin for your dns provider then you should keep using the manual method to renew your wildcard cert.

Cheers,
sahsanu

2 Likes
17

Hi @sahsanu yes I'm using a wildcard for this. So there really no other way to renew my certificate automatically? And I had to do it manually and changing the TXT Value?
How do I know if my DNS Provider support API? Also if I will be using DNS API will this need any private key or any access key from my DNS Server?

18

Oh, I totally missed that! Great catch, @sahsanu.

@ramzdam, sorry that I didn't think about this before giving you advice to switch to webroot. The webroot method is never applicable to obtaining or renewing wildcard certificates. :frowning:

2 Likes
19

Ask them.

Probably, of some sort, but the exact type varies. AFAIK, the best support for DNS validation is with acme.sh; you can see their docs with supported DNS apis here:

20

Hi,

You are using GoDaddy & its premium DNS…

I know that GoDaddy has API, but not sure if premium DNS supports it…

Thank you