Error on manual renewal with certbot certonly

My domain is: radioalgerie.dz

**I ran this command: **

root#ychaouche-PC 13:48:36 ~/DOWNLOADS/TOOLS # ./certbot-auto certonly -d *.radioalgerie.dz -m it_web@algerian-radio.dz

It produced this output:
./certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
root#ychaouche-PC 13:49:49 ~/DOWNLOADS/TOOLS #

My web server is:
nginx 1.10.3

The operating system my web server runs on is :
Linux (unknown)

My hosting provider, if applicable, is:
self-hosted

I can login to a root shell on my machine : yes

I’m using a control panel to manage my site : no

The version of my client is: 1.3.0

Hi @ychaouche

if you want to create a wildcard certificate, you must use dns validation.

So use --manual. Certbot-auto doesn't support an API solution.

Or switch to another client, may be acme.sh.

PS:

*.radioalgerie.dz is bad, because the main domain isn't included.

Create a certificate with *.radioalgerie.dz and radioalgerie.dz.

3 Likes

Thanks @JuergenAuer,

I’ve redone the same command only with --manual this time and went with DNS validation. This is a renewal, but I can’t really think of any difference b/w renewal and new certificate. It all seems same to me (at least in manual mode)

I will think about adding another certificate for the parent domain.

Thanks !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.