How to change DNS-01 to http-01 for renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.ctc-g.com.my

I ran this command: # certbot-auto --manual --preferred-challenges dns certonly -d www.ctc-g.com.my

It produced this output:

My web server is (include version): 2.4.37 (centos)

The operating system my web server runs on is (include version): centos 8.x

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): # certbot-auto --version
certbot 1.5.0

Hi All

env:
OS: centos 8.x (this server is hosted ours vmware farm) and we have full access
we use certbot-auto (v1.5)

i new to Let’s Encrypt and this is my 1st time configure SSL certificate using Let’s Encrypt.

i success install certbot-auto (client) on centos 8.x.
i also success install SSL certificate (Let’s Encrypt) on apache server.

due to SSL certificate going to expired, we try to renew SSL certificate by http-01 (certbot-auto renew --dry-run), unfortunately i unable re-new SSL certificate via http-01 about 2 week.
error fetching http://www.ctc-g.com.my/.well-known/acme-challenge/xxxx timeout during connect (like firewall problem).

next is i try to manual method dns-01 and success renew SSL certificate.

now i would like to switch back from dns-01 to http-01 for troubleshooting why renew SSL certificate not success.

i also read Can't do HTTP-01 challenge after DNS-01 challenge

certbot-auto renew --dry-run --preferred-challenges http

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.ctc-g.com.my.conf


Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (www.ctc-g.com.my) from /etc/letsencrypt/renewal/www.ctc-g.com.my.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.ctc-g.com.my/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.ctc-g.com.my/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

my question

  1. how to i switch from dns-01 to http-01 on certbot-auto command? any file require to back up in case i require use back dns-01 for renew SSL certificate if certbot-auto failed to renew SSL certificate ?

thanks

1 Like

You won't be able to use the HTTP challenge until you figure out why Let's Encrypt can't connect to your server on port 80.

I can connect from my computer, so the most likely cause is that you have a firewall which is blocking the Let's Encrypt validation hosts.

Once you figure that part out, switching to HTTP is not too complicated, you just need to choose whether to use the Apache or webroot authenticator and do e.g.

certbot renew -a apache --dry-run

or

certbot renew -a webroot -w /var/www/html  --dry-run

(adjusting the path as necessary).

1 Like

Hi _az

thanks for your information, before proceed the step provided by you, i read Certbot renewal fails with "The client lacks sufficient authorization" error look like http-01 validation request was coming from an IPv6 address.

ours DNS server only configure IPv4, if this is one of the requirement to achieve http-01 method renew SSL certificate, then i will stick to dns-01.

who manage assist to verify on above query ( http-01 validation request was coming from an IPv6 address, not ipv4)

thanks

1 Like

IPv6 is only used if the domain has an AAAA record. Yours doesn’t, so IPv6 is not involved.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.