Hey all, I ran the certbot update when I got my first email, and got a success, yet I just got my second email tonight, saying it's going to expire. When I check crt.sh, my domain appears with a valid timeline, but the *.domain.com has not renewed.
Is there an issue without having the *? If there is, how do I need to mod the command? I ran:
sudo certbot certonly --force-renew -d domain.com to renew my succesful cert.
Thanks for the advice!
Hi @mathewrtaylor, and welcome to the LE community forum 
Do not use that unless you know what it is meant to do.
Step #1: Reread the entire email.
Step #2: Look at all the names on the certs issued in the past 90 days.
Step #3: If you still don't know why you received any of these emails, then go back to step #1.
If you had provided the actual domain, we could have helped further.
To address your concern about the wildcard certificate, you must have obtained a cert with one in it [somehow].
The command shown doesn't request one and won't install the cert issued.
Thanks for the explanation. Let's address your points so we're on the same page:
Step #1: Reread the entire email. Done.
Step #2: Look at all the names on the certs issued in the past 90 days. Missing (asterisk).domain.com as I asked about in my initial request.
Step #3: If you still don't know why you received any of these emails, then go back to step #1. I emailed this support, since running the certbot renewal fails out if I run the same command abbreviated with (asterisk). . Since technically, domain and (asterisk).domain should be the same thing, that's why I reached out here.
The force renew was a command I was following after just running certbot renew didn't work on: How can I renew Let's Encrypt certificates? :: DigitalOcean Documentation .
Here's my site output: crt.sh | newhereicanlearn.us
Thanks again for the assistance @rg305
No, a cert with a wildcard domain name must use the DNS Challenge method of authentication. Non-wildcard names can use DNS or HTTP Challenge (details here).
Are you using Google Domains or Google Cloud ? Because the DNS support between the two is different for DNS Challenges (one supports an api and the other not).
Let's start unpacking this with you showing us the result of this
sudo certbot certificates
This certificate crt.sh | 7770563111 could only have been issued using the DNS-01 challenge. Let's Encrypt only issues certificates containing wildcard domain names by using the DNS-01 challenge.
The Let's Debug results with DNS-01 All OK, results here https://letsdebug.net/newhereicanlearn.us/1327421
You did:
crt.sh | 7770563111
That command will only get the name shown.
You must have done so, probably manually.
To satisfy the DNS Challenge, one must add a TXT record in the DNS zone:
_acme.challenge.example.com
Do you recall having done that?
You will have to repeat those steps if you want to renew the wildcard cert.
sudo certbot certonly -d example.com -d *.example.com
Please read this link https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.