I created an SSL cert for my main domain domain.org successfully. It was working fine.
I then tried to create another certificate for a sub-domain and this time manually and I was asked to create TXT values. I did not manage to create the TXT values. But that for separate session.
I went back to check the TXT values entries for my my domain and found that there were no TXT values created but somehow it worked.
Wonder why ?
How do I retrospectively retrieve the TXT value for the original domain.org if I wanted to update the TXT values in the DNS ?
The TXT records for dns-01 challenges change each time you try to acquire a certificate. Therefore, you can always just delete the TXT records then try again. Let's Encrypt caches authorizations for four weeks for (sub)domain names for which you have successfully verified control. If you request a certificate containing any of those (sub)domain names, you will not be asked to reverify control again until the authorizations expire. Regardless, you should probably be using http-01 challenges.
Is there anything I need to do to swap to a http-01 challenges ?
Don't seem to find any particular commands for this action.
Another question
I installed a certificate for my sub-domain manually. When I did a
sudo certbot renew --dry-run
I get the below results that showed errors.
How do I switch to some auto-mode ?
Blockquote
Failed to renew certificate abc.domain.org with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Blockquote
The renew command does not work with the manual authenticator unless you provide scripts to setup/cleanup the challenges. This is the reason why I suggested using http-01 challenges instead of dns-01 challenges. They're easier to automate. While you could manually complete http-01 challenges, which would leave you in the same predicament, you should use the apache authenticator (--apache) or, if that doesn't work, the webroot authenticator (-a webroot -w /path/to/your/webroot/directory -i apache). These will put you on the path to autorenewal.
Noted on the automated use of http-01 challenge. The reason why I had it set to manual was becos I was following an instruction from some websites blindly and did not know what I was doing. Haha.
So to switch and reinstall my cert with the automation on, i just need to do the following command ?
Please note that --force-renewal will acquire a new certificate every time the command is run, which can run you into the duplicate certificate rate limit very quickly if repeated. That dangerous parameter is only included because certbot will only update your renewal configuration if a certificate is actually acquired by the command.
