Renew dry-run fails with "Unable to determine base domain" error

My domain is: masonlane.dev

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/masonlane.dev.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for *.masonlane.dev and masonlane.dev
Encountered exception during recovery: certbot.errors.PluginError: Unable to determine base domain for masonlane.dev using names: ['masonlane.dev', 'dev'].
Failed to renew certificate masonlane.dev with error: Unable to determine base domain for masonlane.dev using names: ['masonlane.dev', 'dev'].

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/masonlane.dev/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.22.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.10

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.29.0

I am specifically trying to get wildcard DNS to work. Currently, everything seems to be working fine - all subdomains return what I expect them to. It's just the renewal dry run that's erroring. I have my Google Domains DNS setup with "masonlane.dev", "www.masonlane.dev", and "*.masonlane.dev" all pointing to my DigitalOcean IP.

Are you using Google Cloud DNS for your domain's DNS hosting, or Google Domains?

Are you trying to use the certbot-dns-google plugin for this?

4 Likes

I am using Google Domains.

No, I am not - I hadn't heard of that plugin.

Well, Certbot is trying to use a DNS plugin to issue the certificate. A good first step is to understand what plugin it is using. You can check this by looking at /etc/letsencrypt/renewal/masonlane.dev.conf and seeing what the authenticator = line says.

5 Likes

It is using dns-digitalocean, as per this tutorial: How To Create Let's Encrypt Wildcard Certificates with Certbot | DigitalOcean

Right. You can't do that anymore, because you moved your domain's nameservers to Google. You need to use the equivalent plugin for Google.

Depending on whether you use Google Cloud DNS or Google Domains, that will be either the plugin I linked above, or GitHub - aaomidi/certbot-dns-google-domains: Google Domains plugin for Certbot., respectively.

7 Likes

Ah, gotcha. A quick Google search makes it seem like wildcards aren't supported for Google Domains. Do you happen to know if that's true? If I want wildcard subdomains, am I going to have to switch over to using DigitalOcean for my DNS?

And I'm curious - why does this work fine for everything but renewal? I would expect using the wrong plugin to not work at all, but it's working like normal right now.

That second plug-in I linked is suitable for Google domains. Though Google just sold that part of their business to Squarespace so Iā€™m not sure how long it will survive into the future.

6 Likes

Gotcha. Thanks for your help!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.