Renewal error - perhaps related to migration to squarespace

My domain is: wineverygame.com
(registrar recently auto-moved from Google to Squarespace)
I ran this command:
/usr/local/bin/certbot certonly -n --force-renew --agree-tos --authenticator 'dns-google-domains' --dns-google-domains-credentials '/var/lib/letsencrypt/dns_google_domains_credentials.ini' --server 'https://acme-v02.api.letsencrypt.org/directory' --dns-google-domains-zone 'wineverygame.com' --cert-name memory.wineverygame.com-goog -d 'wineverygame.com,www.wineverygame.com,memory.wineverygame.com'

It produced this output:
Encountered exception during recovery: certbot.errors.PluginError: Unable to rotate DNS challenges: 400 Client Error: Bad Request for url: https://acmedns.googleapis.com/v1/acmeChallengeSets/wineverygame.com:rotateChallenges

Unable to rotate DNS challenges: 400 Client Error: Bad Request for url: https://acmedns.googleapis.com/v1/acmeChallengeSets/wineverygame.com:rotateChallenges
My web server is (include version):

Apache 2

The operating system my web server runs on is (include version):

Ubuntu

I can login to a root shell on my machine : Yes

The version of my client is :
certbot 2.6.0

Likely related to Squarespace taking over google domains.

See my reply

6 Likes

Probably best to review this section of the Certbot docs:
https://eff-certbot.readthedocs.io/en/latest/using.html#manual

Also, unless you need a wildcard you may be able to use the HTTP Challenge to get a cert. Looks like you are using Apache server which is fairly easy to automate an HTTP Challenge.

Maybe like this

certbot certonly --apache --dry-run --cert-name memory.wineverygame.com-goog -d 'wineverygame.com,www.wineverygame.com,memory.wineverygame.com'

If --dry-run works, just remove it to get a production cert. And, your Certbot renewal profile will then get updated so will auto-renew.

5 Likes

Just clicking the URL Safari see a redirect loop too.

Edit:
And this as well

2 Likes

With the --apache option you must run Certbot on the server pointed to by the DNS for the domain name requested. Otherwise when the Let's Encrypt server sends the HTTP challenge request to the IP in the DNS that server won't know how to reply. You could do a carefully crafted set of redirects for the acme challenge back to the Certbot machine but if you are clever enough to figure that out you probably would not be here :slight_smile:

In this case it had a poor reply with a redirect loop. But, even once that is fixed it won't have the challenge token to properly reply to the LE server.

The faulty redirect loop starts at wineverygame but that sends it to the backup subdomain which then loops by repeating the same redirect

curl -I http://wineverygame.com/.well-known/acme-challenge/Test404
HTTP/1.1 302 Found
Server: Apache
Location: http://backup.wineverygame.com/.well-known/acme-challenge/Test404

curl -I http://backup.wineverygame.com/.well-known/acme-challenge/Test404
HTTP/1.1 302 Found
Server: Apache
Location: http://backup.wineverygame.com/.well-known/acme-challenge/Test404

# the above redirect, if followed continues "forever"
4 Likes

Please don't use this option if you're thinking it would magically make any error disappear.

2 Likes