Here is my issue now . . . when it comes time to renew the manual method I used is not going to work with my cron command as Osiris pointed out here => How to renew wildcard cert with cert-bot auto and the link therein to https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks
I would like to use the dns-rfc2136 method - which I believe is supposed to be able to directly write the challenges to the zone file . . .
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /credentials.ini -i apache -d “*.xxxxxxxx.com” -d xxxxxxxx.com 1 --server https://acme-v02.api.letsencrypt.org/directory
Certainly certbot CANNOT renew a cert created with the --manual flag so I have to fix the dns-rfc2136 plugin or write scripts for the pre-and-post-validation-hooks
According to Keltounet
" You might not [be] aware that if a given zone is using dynamic updates, then you can not edit it manually anymore "
. . . and if that is true then there is problem because I cannot have that
If I run . . .
[root@main ~]# certbot certonly --dry-run --dns-rfc2136 --dns-rfc2136-propagation-seconds 120 --dns-rfc2136-credentials /credentials.ini -i apache -d “*.xxxxxxxx.com” -d xxxxxxxx.com --server https://acme-v02.api.letsencrypt.org/directory
the server returns this in the terminal window
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for xxxxxxxx.com
dns-01 challenge for xxxxxxxx.com
Cleaning up challenges
Received response from server: SERVFAIL
[root@main ~]#
so the log has this STILL as the offending entries
460:DEBUG:certbot_dns_rfc2136.dns_rfc2136:No authoritative SOA record found for _acme-challenge.xxxxxxxx.com
466:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for xxxxxxxx.com
This is something in my setup . . . so does " _acme-challenge.xxxxxxxx.com " actually need its own SOA zone ??