Renewal error - perhaps related to migration to squarespace

My domain is:
(registrar recently auto-moved from Google to Squarespace)
I ran this command:
/usr/local/bin/certbot certonly -n --force-renew --agree-tos --authenticator 'dns-google-domains' --dns-google-domains-credentials '/var/lib/letsencrypt/dns_google_domains_credentials.ini' --server '' --dns-google-domains-zone '' --cert-name -d ',,'

It produced this output:
Encountered exception during recovery: certbot.errors.PluginError: Unable to rotate DNS challenges: 400 Client Error: Bad Request for url:

Unable to rotate DNS challenges: 400 Client Error: Bad Request for url:
My web server is (include version):

Apache 2

The operating system my web server runs on is (include version):


I can login to a root shell on my machine : Yes

The version of my client is :
certbot 2.6.0

Likely related to Squarespace taking over google domains.

See my reply


Probably best to review this section of the Certbot docs:

Also, unless you need a wildcard you may be able to use the HTTP Challenge to get a cert. Looks like you are using Apache server which is fairly easy to automate an HTTP Challenge.

Maybe like this

certbot certonly --apache --dry-run --cert-name -d ',,'

If --dry-run works, just remove it to get a production cert. And, your Certbot renewal profile will then get updated so will auto-renew.


Just clicking the URL Safari see a redirect loop too.

And this as well


With the --apache option you must run Certbot on the server pointed to by the DNS for the domain name requested. Otherwise when the Let's Encrypt server sends the HTTP challenge request to the IP in the DNS that server won't know how to reply. You could do a carefully crafted set of redirects for the acme challenge back to the Certbot machine but if you are clever enough to figure that out you probably would not be here :slight_smile:

In this case it had a poor reply with a redirect loop. But, even once that is fixed it won't have the challenge token to properly reply to the LE server.

The faulty redirect loop starts at wineverygame but that sends it to the backup subdomain which then loops by repeating the same redirect

curl -I
HTTP/1.1 302 Found
Server: Apache

curl -I
HTTP/1.1 302 Found
Server: Apache

# the above redirect, if followed continues "forever"

Please don't use this option if you're thinking it would magically make any error disappear.