Discard fresh certificate and re-generate a new one

fdbatista · April 24, 2024, 8:09pm

Hello.
I ran the command below for the first time and it worked fine.
Then I realized I wanted to generate a certificate that I could use for all subdomains as well, so I revoked the first one with:

docker-compose run --rm certbot revoke --cert-path /etc/letsencrypt/archive/crc365.de/cert1.pem

But now I cannot generate a certificate anymore.
Details below.

Thanks.

My domain is:
crc365.de

I ran this command:
docker-compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ -d crc365.de -d '*.crc.365.de'

It produced this output:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS

My web server is (include version):
nginx 1.25.1

The operating system my web server runs on is (include version):
Ubuntu 22.04

My hosting provider, if applicable, is:
Strato

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2.10.0

petercooperjr · April 24, 2024, 8:12pm

As this message says, wildcard names challenges require using the DNS challenge, not the HTTP challenge which webroot gives you.

fdbatista · April 24, 2024, 8:34pm

Great, thanks, @petercooperjr
I could generate the certificate using the wildcard with
docker-compose run --rm certbot certonly --manual --preferred-challenges=dns --email fdbatista@gmail.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d crc365.de -d '*.crc365.de'

A quick question, do I need to repeat the same process to renew it in 3 months? Updating the TXT record and so on?

Can the renewal still be automatic?

aarongable · April 24, 2024, 8:40pm

The renewal can (and should!) still be automated. But automating the DNS challenge is harder: you need to give certbot the API keys to update your authoritative DNS records, or you need to use something like acme-dns to run a secondary DNS server just for ACME challenges and delegate the _acme-challenge. subdomain to that other server.

rg305 · April 24, 2024, 8:52pm

Processes requiring manual assistance can't be automated "as is", they have to continue to be handled manually at each renewal OR changed to a process that can be automated.

Also, what purpose/point did it make to revoke the previous cert?:

fdbatista · April 24, 2024, 9:21pm

I have always preferred to have a single certificate per domain.
Looks simpler to me.

I just generated the first one by mistake, without noticing I did not use the wildcard.

However, I think I will change my mind. One certificate per subdomain seems easier to auto renew.

petercooperjr · April 24, 2024, 10:36pm

Yes, wildcards add a lot of complexity, and aren't really needed or helpful in most cases unless you're also using a wildcard DNS record.

griffin · April 24, 2024, 11:16pm

This part of the story rarely, if ever, results in anything useful.

fdbatista · April 25, 2024, 7:23am

Well, I moved to Strato hosting provider recently.

In OVH and Hostinger I was able to add a CNAME record with the wildcard because I usually have several subdomains. That way everything points automatically to my VPS, and I only need to handle per-subdomain config in Nginx.

But now looks like Strato simply does not allow to register wildcards.