Noob question Renewal failure

My domain is: seahorseconsulting.co.uk

I ran this command: I've tried two...

  1. certbot certonly
    How would you like to authenticate with the ACME CA?
    selected option 2
    Plugins selected: Authenticator webroot, Installer None
    Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
    to cancel):
    seahorseconsulting.co.uk *.caymanblueconsulting.com *.myb777.co.uk *.seahorseconsulting.co.uk *.thepositivemindset.co.uk *.widana-dive.co.uk caymanblueconsulting.com myb777.co.uk thepositivemindset.co.uk widana-dive.co.uk
    Cert is due for renewal, auto-renewing...
    Renewing an existing certificate
    Performing the following challenges:
    e[31mClient with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.e[0m
    e[31mClient with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.e[0m

Bit of googling led me to try...

  1. certbot certonly --preferred-challenges=dns
    How would you like to authenticate with the ACME CA?
    selected option 2
    Plugins selected: Authenticator webroot, Installer None
    Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
    to cancel): seahorseconsulting.co.uk *.caymanblueconsulting.com *.myb777.co.uk *.seahorseconsulting.co.uk *.thepositivemindset.co.uk *.widana-dive.co.uk caymanblueconsulting.com myb777.co.uk thepositivemindset.co.uk widana-dive.co.uk
    Cert is due for renewal, auto-renewing...
    Renewing an existing certificate
    Performing the following challenges:
    e[31mNone of the preferred challenges are supported by the selected plugine[0m

It produced this output: Shown above

My web server is (include version): Apache Version 2.4.43

The operating system my web server runs on is (include version): Operating System linux but that is all the cpanel tells me.

My hosting provider, if applicable, is: 123-reg.co.uk

I can login to a root shell on my machine (yes or no, or I don't know): No, I've generated the certs on my PC and pasted the keys in the hosting cpanel

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel Version 86.0 (build 25)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.6.0

I remember (and have checked) setting up the DNS _acme-challenge
TXT/SPF entries but don't remember uploading any files, but it is nearly 90 days ago and this is my first renewal.

I'm happy to do this style of renewing every 90 days, but being the first time I'm finding it challenging as I've very little experience with this type of command line thing.

Many thanks in advance.

1 Like

Almost. To force things to be manual, you need to also add --manual. So it'd be:

certbot certonly --manual --preferred-challenges dns
2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

The webroot authenticator doesn't support dns challenges. I frequently use cPanel and can definitely get you through this.

I'm assuming you added TXT records to your DNS zone before.

Use this command:
certbot certonly --cert-name mycert --manual --preferred-challenges dns -d "seahorseconsulting.co.uk,*.seahorseconsulting.co.uk,caymanblueconsulting.com,*.caymanblueconsulting.com,widana-dive.co.uk,*.widana-dive.co.uk,myb777.co.uk,*.myb777.co.uk,thepositivemindset.co.uk,*.thepositivemindset.co.uk"

If your cPanel is like mine, you'll need to:

  1. Import privkey.pem
  2. Import cert.pem (not fullchain.pem since the CA intermediate (bundle) will be filled for you)
  3. Remembet to install your certificate after saving it!
1 Like

If you have cpanel, then you should look for a way to get the cert through it.
cpanel and certbot don't play well together - stick with any available cpanel options.

READERS: Get involved. Be heard. Do your part with: If you read something you like, then like it :heart:

1 Like

@rg305

At least @DwainPipe is using certbot instead of some website client that will steal the private keys.

@DwainPipe

I'm currently in the process of redeveloping my website ACME client to be even more friendly for cPanel users, so be on the lookout. It will be a single PHP file you download to manage your certificates.

1 Like

Thank you for all the replies. I have now successfully renewed :slight_smile:

It's a bit labour intensive, but it's only once every three months.

I didn't know I could import the *.pem keys themselves, I've been copy/pasting the file contents.

Many thanks all.

2 Likes