Renewing cert on Ubuntu

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
zgo.cash

I ran this command:
certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/zgo.cash.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for zgo.cash and *.zgo.cash
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Failed to renew certificate zgo.cash with error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/zgo.cash/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version):

Server version: Apache/2.4.41 (Ubuntu)
Server built:   2022-03-16T16:52:53

The operating system my web server runs on is (include version):
Ubuntu 20

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.26.0

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

The error indicates that the authentication plugin listed in /etc/letsencrypt/renewal/zgo.cash.conf (probably the apache authenticator) uses the HTTP-01 challenge type, which is not allowed for wildcard domain names (*.zgo.cash). You need to use an authentication plugin that supports the DNS-01 challenge type if you want a wildcard certificate.

https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins

3 Likes

What command did you run to get your certificate in the first place?

(Do you really need a wildcard certificate? Does a Certbot plugin for your DNS provider exist?)

2 Likes

I created this manually, there is no certbot plugin for NameCheap that I know of.

1 Like

Thank you for the link.

I had to re-create the certificates using the command below instead of renew:

certbot certonly --manual -d zgo.cash -d *.zgo.cash --preferred-challenges=dns
2 Likes

Yep, there is no way to renew a certificate you obtained manually, you have to do that every two months.

Namecheap has an API and there should be a Certbot plugin, but the API is not open to everyone and they only enable it to some users.

You can move your DNS elsewhere even if you keep namecheap as a registrar, if you want.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.