I created on 21 nov 2020 seperated certificates for several subdomains with a command like:
certbot -i apache -a manual --preferred-challenges dns --no-redirect -d $i
foreach subdomain where $i is the subdomain name like demo1.ligamen.org
Now launching
certbot -i apache -a manual --preferred-challenges dns --no-redirect renew
throws same error error for each subdomain:
Attempting to renew cert (demo1.ligamen.org) from /etc/letsencrypt/renewal/demo1.ligamen.org.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin
The renewall confs are like :
# cat /etc/letsencrypt/renewal/demo1.ligamen.org.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/demo1.ligamen.org
cert = /etc/letsencrypt/live/demo1.ligamen.org/cert.pem
privkey = /etc/letsencrypt/live/demo1.ligamen.org/privkey.pem
chain = /etc/letsencrypt/live/demo1.ligamen.org/chain.pem
fullchain = /etc/letsencrypt/live/demo1.ligamen.org/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 536d88674a900c72784efd2472a197e1
pref_challs = dns-01,
authenticator = manual
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
Why do you want to use -a manual, which requires human interaction, instead of something like -a apache, which doesn't? Is there a particular reason that you need the DNS-01 challenge in your environment?
It is not possible to automate a manually required DNS change:
Then you may need to change the challenge type to HTTP.
I see you are now using:
which will spin-up a temporary web server to answer the HTTP challenge requests. Did that work?
[it requires use of TCP port 80]
Not too sure about the errors returned by certbot 0.31.0, but adding -vv [or -vvv for even more] will increase the amount of output shown in the log file.
If you're using Apache the best method is normally
sudo certbot --apache -d
which will both obtain and install the certificates for you (here --apache is equivalent to -a apache -i apache). As @rg305 pointed out, --standalone is a little peculiar because it needs to be able to use port 80, which typically Apache would already be using.
Yes, except (as I recall) "no renewals attempted" and "all renewals succeeded"
So certbot returns a string, not a boolean ?
Yes but that method did not work cause I removed all certificates and apache could not be restarted anymore cause references to the certificates where still pointing to the removed ones throwing syntax error in the config test
In that case you'll have to fix that by removing those references, or else putting dummy certs (like a "snake oil" cert) temporarily in the paths where they were before.