Error when renewing certificate using the dns-google authenticator plugin

I get an error when renewing one of three certificates on a server:

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-google, Installer None
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (mydomain.uk) from /etc/letsencrypt/renewal/mydomain.uk.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.

It goes on to successfully renew two other certificates, including another one on google cloud platform, in the same account and project, so it cannot be a problem with the credentials, can it?

The only real difference with this failing domain and the other google one which passes, is that this one is not a wildcard certificate.

The certificate was made in much the same way, apart from * being replaced with www.

$ sudo certbot certonly \
  --dns-google \
  --dns-google-credentials ~/.secrets/certbot/google.json \
  --dns-google-propagation-seconds 120 \
  -d mydomain.uk \
  -d www.mydomain.uk

I don’t know if this is relevant, but this domain did previously have another certbot certificate which was made without the dns-google plugin, but it was deleted with sudo certbot delete and there are no TXT records in the zone (I can’t remember how it was authenticated before, but I didn’t delete any).

Let's have a look at this file:

We need to compare that file with a working renewal file for domain:
j__systems.co.uk
e__an.info

You might want to try this with the full (explicit) path instead:

File file /etc/letsencrypt/renewal/mydomain.uk.conf is exactly the same as the other dns-google one, apart from the domains. I even replaced the domain with the other using sed and there was no difference with diff. The other one is the same as well, apart from the domain and the cloudflare authenticator line.

The path to the credential files is also correctly expanded in those files, so I did not do anything further regarding that.

I have gone through everything many times and cannot find any problem on my side. Mysterious.

That makes two of us...

One last review. what does certbot certificates show?

It doesn’t seem to be anything unusual:

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: j*******ez.uk
    Domains: j*******ez.uk www.j*******ez.uk
    Expiry Date: 2020-04-19 18:11:54+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/j*******ez.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/j*******ez.uk/privkey.pem
  Certificate Name: eg****n.info
    Domains: eg****n.info www.eg****n.info
    Expiry Date: 2020-04-19 15:46:44+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/eg****n.info/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/eg****n.info/privkey.pem
  Certificate Name: ji*****stems.co.uk
    Domains: *.ji*****stems.co.uk ji*****stems.co.uk
    Expiry Date: 2020-04-19 05:53:41+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/ji*****stems.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ji*****stems.co.uk/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If I find out why this is happening I will give you an update, for the records. I’m planning on rebuilding this server soon, and hopefully it won’t happen again when I do. At least I don’t need to be using this problem domain in the immediate future.

Nothing unusual there…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.