I requested a certificate covering both skalei.com and *.skalei.com using:

sudo certbot certonly --dns-digitalocean --dns-digitalocean-credentials /home/skalei/.digitalocean.ini -d skalei.com -d "*.skalei.com"

I have a CNAME record pointing from _acme_challenge.skalei.com to skalei.com.skalei-validation.com.

When I run sudo certbot renew --dry-run, it outputs:

Processing /etc/letsencrypt/renewal/skalei.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for skalei.com and *.skalei.com
Encountered exception during recovery: certbot.errors.PluginError: Unable to determine base domain for skalei.com using names: ['skalei.com', 'com'].
Failed to renew certificate skalei.com with error: Unable to determine base domain for skalei.com using names: ['skalei.com', 'com'].

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/skalei.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

However, when I run sudo certbot renew --force-renewal, it renews the certificate successfully.

Does this mean that automated renewal won't work? Or is this some sort of false negative on the part of the dry run?

The server's OS is Ubuntu 20.04. My host is DigitalOcean. My Certbot version is 1.17.0.

I appreciate any help!

The opposite! It is a false positive on the part of --force-renewal due to something called "authorization caching".

--dry-run is what you should trust.

Are the DigitalOcean credentials you are providing, only for skalei-validation.com?

The --dns-digitalocean plugin doesn't follow CNAMEs; it expects to find skalei.com in your DigitalOcean account.

If this is a dealbreaker for you, you might consider a client which supports DNS alias mode like acme.sh: DNS alias mode · acmesh-official/acme.sh Wiki · GitHub.

Are you sure?

--dry-run is what you should trust.

That's good to know!

The DigitalOcean credentials are only for skalei-validation.com. skalei.com is in a separate DigitalOcean account.

The --dns-digitalocean plugin doesn't follow CNAMEs; it expects to find skalei.com in your DigitalOcean account.

I was afraid of that. But then how was the certificate successfully issued at all in the first place? I believe I had the CNAME record in place when I first requested the certificate, and the credentials in the credentials file were for the skalei-validation.com DigitalOcean account.

As far as I can tell.

Thanks, I'll give that a shot.

This is what I see:

dig CNAME _acme-challenge.skalei.com. @ns1.digitalocean.com

; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> CNAME _acme-challenge.skalei.com. @ns1.digitalocean.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7365
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.skalei.com.    IN      CNAME

;; AUTHORITY SECTION:
skalei.com.             1800    IN      SOA     ns1.digitalocean.com. hostmaster.skalei.com. 1626594636 10800 3600 604800 1800

;; Query time: 674 msec
;; SERVER: 2400:cb00:2049:1::adf5:3a33#53(2400:cb00:2049:1::adf5:3a33)
;; WHEN: Sun Jul 18 08:36:20 UTC 2021
;; MSG SIZE  rcvd: 119

It probably won't make any difference, but I would use one -d (instead of two):
-d "skalei.com,*.skalei.com"

I am not sure, it doesn't seem possible to me. I would guess that you used the other credentials.

Good luck with alias mode!

Where all of these certs issued via manually issued commands?
[or did they run via some job?]

If certbot was run manually, I would check the history of those commands.
[and also check the validity and the history of the credentials file]
history | grep certbot

I saw that, too, and I was confused since I can clearly see the CNAME record in my DNS settings in DigitalOcean. Also, if I use a tool like https://dnschecker.org/#CNAME/_acme_challenge.skalei.com, the CNAME record shows up.

That makes no sense:

nslookup -q=cname _acme-challenge.skalei.com. ns1.digitalocean.com
Server:         ns1.digitalocean.com
Address:        2400:cb00:2049:1::adf5:3a33#53

*** Can't find _acme-challenge.skalei.com.: No answer

nslookup -q=cname _acme-challenge.skalei.com. 173.245.58.51
Server:         173.245.58.51
Address:        173.245.58.51#53

*** Can't find _acme-challenge.skalei.com.: No answer

[both IPv6 and IPv4 fail for me]
[via both dig and nslookup]

I am not sure, it doesn't seem possible to me. I would guess that you used the other credentials.

That's what I thought. But I just checked to make sure I was using the credentials from the skalei-validation.com DigitalOcean account. I even deleted the only API token in the skalei.com DigitalOcean account, so there are no valid credentials for that account.

I ran sudo cerbot delete to remove the certificate. When I tried to recreate the certificate, it succeeded! So if the DigitalOcean plugin doesn't follow CNAMEs, I'm not sure what's happening.

Cached authentication at LE?
Several similar certs have been recently issued: crt.sh | skalei.com

Try issuing a cert for a previously unused (test) FQDN.
Like: july18test.skalei.com

Okay, that failed. I wasn't very familiar with the cached authentication.

Thanks @rg305 and @_az !

False positives can be very misleading.

Now you are on the right track!

Indeed, they can be!

I suspect there is something imperfect in the DNS zone.
If DO permits you to setup secondary DNS servers, you can add your Internet IP to such a list.
From there you could request the entire zone.
Via something like:

nslookup
server ns1.digitalocean.com
set type=any
ls -d skalei.com. > local.filename.txt
exit

And then review the file for any abnormalities.
[and try not to get to high from the command - LOL]
[and don't forget to disable the secondary afterwards]