2022-12-04T03:04:13-0700 sma-server3 systemd[1]: Starting Service for snap application certbot.renew...
It produced this output:
2022-12-04T03:04:16-0700 sma-server3 certbot.renew[3052]: Renewal configuration file /etc/letsencrypt/renewal/sma-inc.us-0001.conf (cert: sma-inc.us-0001) produced an unexpected error: 'Namespace' object has no attribute 'dns_rfc2136_propagation_seconds'. Skipping.
2022-12-04T03:04:16-0700 sma-server3 certbot.renew[3052]: Renewal configuration file /etc/letsencrypt/renewal/sma-inc.us.conf (cert: sma-inc.us) produced an unexpected error: 'Namespace' object has no attribute 'dns_rfc2136_credentials'. Skipping.
2022-12-04T03:04:16-0700 sma-server3 certbot.renew[3052]: 0 renew failure(s), 2 parse failure(s)
2022-12-04T03:04:16-0700 sma-server3 systemd[1]: snap.certbot.renew.service: Main process exited, code=exited, status=1/FAILURE
2022-12-04T03:04:16-0700 sma-server3 systemd[1]: snap.certbot.renew.service: Failed with result 'exit-code'.
2022-12-04T03:04:16-0700 sma-server3 systemd[1]: Failed to start Service for snap application certbot.renew.
2022-12-04T03:10:49-0700 sma-server3 snapd[30713]: storehelpers.go:748: cannot refresh: snap has no updates available: "certbot", "core", "core20"
My web server is (include version):
n/a
The operating system my web server runs on is (include version):
opensuse 15.4
linux 5.14.21-150400.24.33-default x86_64
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site:
no
The version of my client is:
certbot 1.22.0
/etc/letsencrypt/renewal/sma-inc.us-0001.conf:
# Options used in the renewal process
[renewalparams]
account = xxx
rsa_key_size = 4096
authenticator = dns-rfc2136
dns_rfc2136_propagation_seconds = 15
dns_rfc2136_credentials = /root/.secrets/certbot/rfc2136.ini
server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/sma-inc.us.conf:
# Options used in the renewal process
[renewalparams]
authenticator = dns-rfc2136
account = xxx
server = https://acme-v02.api.letsencrypt.org/directory
# dns_rfc2136_propagation_seconds = 10
dns_rfc2136_credentials = /root/.secrets/certbot/rfc2136.ini
With regard to the first output: weird to see the plugin there.. Could you please post the output of whereis certbot and also ls -l /usr/bin/certbot ?
With regard to the second output: it seems the certificate with the name sma-inc.us-0001 is superfluous with regard to the certificate with the name sma-inc.us: it contains the same wildcard hostname, but lacks the apex domain. You should make sure all services using a certificate use the files in /etc/letsencrypt/live/sma-inc.us/ and after that you could delete the certificate with the name sma-inc.us-0001. See User Guide — Certbot 2.0.0 documentation for more info, especially the part about safely deleting certificates.
That's weird. I've never heard about the directory /etc/alternatives/, let alone /etc/alternatives/certbot. The symbolic link /usr/bin/certbot should actually point to /snap/bin/certbot. I have no idea what that /etc/alternatives/ is, but it seems that if you're running certbot from the command line, it's running a different Certbot than the one installed by snap. I'm pretty sure that if you'd run sudo /snap/bin/certbot plugins, you won't see the dns-rfc2136 plugin listed.
See the Certbot instructions for OpenSuse: Certbot Instructions | Certbot and click the "Wildcard" tab on the top of the instructions. Besides the generic "how to install Certbot using snap" it also includes instructions on how to install the DNS plugin.
Remember that it's probably not a good idea to have multiple Certbots installed. You probably want to uninstall whatever is installed in /etc/alternatives/ and symlink /usr/bin/certbot to /snap/bin/certbot`.
Okay, I deleted the older version, and installed the rfc2136 plugin.
I won't know about the timer renewal until it runs.
I have a shell script that I tested and worked 2 weeks ago; it renews the certificate. Now it does not. (Sigh.) The name server is local to the network. Updates should happen in less than a second.
# /snap/bin/certbot certonly -d *.sma-inc.us --agree-tos --dns-rfc2136 --dns-rfc2136-credentials /root/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 15 --rsa-key-size 4096 --dry-run
... normal stuff ...
Certbot failed to authenticate some domains (authenticator: dns-rfc2136). The Certificate Authority reported these problems:
Domain: sma-inc.us
Type: dns
Detail: DNS problem: query timed out looking up TXT for _acme-challenge.sma-inc.us
Log entries from BIND:
04-Dec-2022 14:20:59.515 update: info: client @0x7ff334280310 192.168.69.246#40264/key letsencrypt: updating zone 'sma-inc.us/IN': adding an RR at '_acme-challenge.sma-inc.us' TXT "KtQ1YsbBZB6eQTpE3MNWhG3MnynC3sq3oAe7BRlNCwM"
04-Dec-2022 14:20:59.539 notify: info: zone sma-inc.us/IN: sending notifies (serial 2022111838)
04-Dec-2022 14:21:46.374 update: info: client @0x7ff33833a470 192.168.69.246#32954/key letsencrypt: updating zone 'sma-inc.us/IN': deleting an RR at _acme-challenge.sma-inc.us TXT
04-Dec-2022 14:21:46.398 notify: info: zone sma-inc.us/IN: sending notifies (serial 2022111839)