I tried to renew certificates but the challenge verification failed. The reason is because a self-signed certificate is required to connect to the website (SSLVerifyClient set to require in the apache2 conf).
As workaround I temporarily disabled the client authentication but I would like to know if it’s possible to provide to let’s encrypt the client certificate to be able to connect and pass verification challenge.
Otherwise how can I automatically renew certs in my case ? or is there any way to expand the 99-day lifetimes for certificates ?
In that environment it won’t be possible to use the http challenge, you’ll have to use either the tls-sni or dns challenge. If you’re using Certbot you should use the apache plugin instead of webroot.
If your website requires client certificate authentication to connect, one option is (as @cool110 suggested) use a different validator, though each of those carries its own requirements. Another option is to disable the authentication requirement for the /.well-known/acme-challenge path, leaving it intact for the remainder of your site. But no, there’s no way to extend the 90-day (not 99-day) certificate lifetime. And no, there’s no way to provide a client certificate to Let’s Encrypt so their servers will use it to connect.