Renewing a mix of DNS-01 and HTTP-01 challenge-based certs

Until now I have been using the default HTTP-01 challenge method to issue certificates, because manually updating DNS records for DNS-01 was tedious. But I also need wildcard certificates, so I migrated my DNS to AWS Route 53 and started using the python2-certbot-dns-route53 package (CentOS 7).

And it works! Fantastic.

However I have a question about renewals. For most of my certificates I can't use DNS-01 because I don't control the DNS. So I need to renew a mix of certificates issued with HTTP-01 and certificates issued with DNS-01.

So what's going to happen when both types of certs are due for renewal and I run this?

certbot -n renew

Is that going to... renew the HTTP-01 certs and complain about the DNS-01 certs? If the latter will it at least complete all the certs it can, regardless of the order in which it comes across the DNS-01 cert?

Do I need to also run this, separately? Will it do the opposite — renew the DNS-01 certs and complain about all the HTTP-01 certs?

certbot -n renew --dns-route53

Or is certbot able to remember which was which for renewal purposes? In which case, can I just run this command by itself and expect success across the board:

# Maybe I can *just* run this? Will HTTP still be used
# where DNS isn't viable?
certbot -n renew --dns-route53

Thank you! This is my last concern before putting DNS-01 support into production.

It remembers how each certificate was validated last time, and uses the same method again. So in your case I think that should just work. You don't need to specify --dns-route53 for the renew command.

The renewal information is stored in the files under /etc/letsencrypt/renewal/.


Excellent! Thank you so much. I can see by the contents of the file in the renewal folder that it has all of that information, including which authenticator to use and an option I passed to it. I'm feeling good about putting this into production now.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.