Until now I have been using the default HTTP-01 challenge method to issue certificates, because manually updating DNS records for DNS-01 was tedious. But I also need wildcard certificates, so I migrated my DNS to AWS Route 53 and started using the python2-certbot-dns-route53 package (CentOS 7).
And it works! Fantastic.
However I have a question about renewals. For most of my certificates I can't use DNS-01 because I don't control the DNS. So I need to renew a mix of certificates issued with HTTP-01 and certificates issued with DNS-01.
So what's going to happen when both types of certs are due for renewal and I run this?
certbot -n renew
Is that going to... renew the HTTP-01 certs and complain about the DNS-01 certs? If the latter will it at least complete all the certs it can, regardless of the order in which it comes across the DNS-01 cert?
Do I need to also run this, separately? Will it do the opposite — renew the DNS-01 certs and complain about all the HTTP-01 certs?
certbot -n renew --dns-route53
Or is certbot able to remember which was which for renewal purposes? In which case, can I just run this command by itself and expect success across the board:
# Maybe I can *just* run this? Will HTTP still be used
# where DNS isn't viable?
certbot -n renew --dns-route53
Thank you! This is my last concern before putting DNS-01 support into production.