Looking for autorenew command for certbot

My domain is: burgess.tech

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/burgess.tech.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate burgess.tech with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/burgess.tech/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.22.1

The operating system my web server runs on is (include version): Linux mail 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64 GNU/Linux

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Unfortunately I don't know the command I used to create this certificate. I can renew manually with the command

certbot certonly --manual -d '*.burgess.tech'

but then I'm prompted to create a new DNS TXT record. My goal is to renew automatically using my existing TXT record and I haven't been able to figure out how to do that.

Welcome @novaclark

Your DNS provider is Cloudflare which is well integrated with Certbot (and many other ACME clients). Please see these docs to automate renewal for your situation: Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation

I'll also note with wildcard cert you usually want to specify the apex name in the cert too. Just use two -d options one for the wildcard and one for burgess.tech.

The wildcard name only supports names like www.burgess.tech or api.burgess.tech

That's because it isn't possible, in the general sense, to do that. Every time the challenge is triggered, you need a new DNS token. If you renew way too early, your existing authorization may still be valid and you won't need to update the record--but that won't be because it's using the existing record; it'd be because it isn't requesting a record at all.

If you don't control the domain (and that's why you can't use automatic DNS validation) you could CNAME _acme-challenge to a surrogate zone you do control and have your acme client update that record instead.

If you do control the domain then the best option (assuming you can't use http domain validation) is to use automated DNS updates as already suggested. With cloudflare you can scope the API token to a specific domain etc.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.