Does the DNS challenge need to be executed for renewal?

I recently issued a wildcard certificate for my domain. As part of that process, I had to do the DNS TXT entry dance to prove to Certbot that I owned the domain for which the certificate was being issued (via the manual dns check). I then setup a renewal script in crontab (see below), which is now failing because it is trying to do the "manual" DNS authentication check again.

My question is: if I already proved that I own the domain during the issuance, how do I skip that step in the renewal? I assume that I don't have to prove time-and-time again that I actually own the domain? Or, do I?

NOTE: I understand that DigitalOcean has some DNS plug-in; but, I'm trying to understand the process before I fall-back to using some other plug-in.

My domain is:

dailyprime.me

I ran this command:

#!/bin/bash
/usr/bin/docker run --rm --name letsencrypt \
	-v "/etc/letsencrypt:/etc/letsencrypt" \
	-v "/var/log/letsencrypt:/var/log/letsencrypt" \
	quay.io/letsencrypt/letsencrypt:latest \
		renew

It produced this output:

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (dailyprime.me-0001) from /etc/letsencrypt/renewal/dailyprime.me-0001.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dailyprime.me-0001/fullchain.pem (failure)

My web server is (include version):

nginx (latest docker image)

The operating system my web server runs on is (include version):

??

My hosting provider, if applicable, is:

DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

As background here’s the command that I ran originally to issue the wildcard certificate:

#!/bin/bash
docker run -it --rm --name letsencrypt \
	-v "/etc/letsencrypt:/etc/letsencrypt" \
	-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
	quay.io/letsencrypt/letsencrypt:latest \
		certonly \
		-d dailyprime.me \
		-d *.dailyprime.me \
		--manual \
		--preferred-challenges dns \
		--server https://acme-v02.api.letsencrypt.org/directory

Yes. Authorizations must be performed at every issuance, including renewals. They are valid for a very short time. After all, if you transferred the domain/website to somebody else, or it expired and was registered by someone else, why should you retain the authorization to issue SSL certificates for it?

You should use the available DigitalOcean plugin.

Ah, I had not considered the concern of transferring a domain to someone else. That makes sense.

Ok, thanks for the clarification on how often authorization needs to be performed. In this case, I might drop the wildcard certificate and go back to the explicit subdomain certificate so that I can use webroot authentication. I used the wildcard because it was “fancy”; but, it is not needed for my circumstance.

Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.