Renewing multiple domain certificate with certbot

Hello, I have an issue renewing multiple domain certificate for my server and would like to know if there is any certbot command line option that could help me.

I am running 'certbot renew' command that is using manual authentication hook for DDNS provider DNSExit. certbot requests challenge tokens from letsencrypt server, one token per each domain. Then certbot uses manual authentication hook to add tokens to DNS TXT records on DNSExit servers for dns-01 authentication method. certbot adds all tokens at once and then tries to verify all domains at once. Then in the end cerbot uses manual cleanup hook to remove DNS TXT records from DNSExit servers.

This scenario perfectly worked until DNSExit changed their API. Now trying to add a second token for the same domain (wildcard token is added to the base domain DNS record) replaces old TXT record, rendering previous scenario unusable. Unfortunately DNSExit provides support only for paid customers and I am using just free DDNS service.

My question is if there is a command line option for certbot to make it performing renew scenario per domain basis? If certbot could add TXT record for the first domain, verify it, clean up, then add TXT record for the second domain, verify it and clean up it could be perfect. I could not find such option from the certbot documentation, but sometimes not all options are listed for given software. Perhaps I need to switch to another client, that can do that, but I have no idea what that could be. Otherwise I would be forced to perform manual certificate renewals, that make this scenario possible, but cumbersome.

Thank you in advance,
Den

My domain is: dmmedia.org, *.dmmedia.org

I ran this command: certbot renew

It produced this output:
IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: dmmedia.org
  Type: unauthorized
  Detail: Incorrect TXT record
  "mi_HxmRDBGKliolmA6G6pPoG6ZGBbwvgv7ob-XsMZ10" found at
  _acme-challenge.dmmedia.org

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): CentOS 6

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

Certbot supports pre/post validation hooks on a per-domain basis:

https://eff-certbot.readthedocs.io/en/stable/using.html#pre-and-post-validation-hooks

How many domains/FQDNs are you trying to renew (at the same time)?

Thanks for the link. This is exactly how I am trying to use certbot and it seems that it executes all auth hooks, then verifies all domains and then executes all cleanup hooks. I am looking if I can run auth-verify-cleanup sequense per domain one after another.

That depends on what you wrote in the hooks.

It might also depend on certbot's version, although I'm not sure this behaviour ever changed.

I am trying to renew 4-domain certificate with 2 of them are wildcard domains. Complete list is: dmmedia.org, *.dmmedia.org, dmmedia.net and *.dmmedia.net.

This worked perfectly for years until DNSExit changed their API recently.

I am not sure, how the sequence can be controlled with the hooks.
Auth hook just adds TXT record for a single domain passed by certbot as an environment variable CERTBOT_DOMAIN. If the hook was able to add record it just returns 0, otherwise it returns non-0 code and that's it. certbot has an idea of the sequence how it calls hooks and communicates with the letsencrypt server. If certbot has only a single sequence programmed in and no way to change it, then I probably need to looks for another client.

Certbot also has an option to wait between each verification. (Or you could add some sleep command to the hooks)

Could be it be this?

A workaround for this type of thing is sometimes to just run your request multiple times. Some validations will work each time and so they won't be re-attempted next time (valid authorizations are cached for approx 30 days), eventually all the validations will pass and the certificate order will complete.

The real fix is probably to investigate the problem with your DNS provider API so you can set multiple values.

Alternatively you could:

• switch to a major DNS provider (e.g. cloudflare, AWS Route 53, Google Cloud DNS etc)
• use a DNS challenge delegation service (acme-dns https://github.com/joohoi/acme-dns, or Certify DNS which is a managed version of roughly the same idea and is provided by my organization: Certify DNS | Certify The Web Docs)

Thank you very much for the hint with cached authorizations. I just needed to run certbot for the second time and it verified the second pair of my 4-domain certificate this time.

I know, that the real problem is DNS providers API, but since I am not paid user, there is no support for me.

Changing to alternative provider is challenging. As I am using server for non-commercial purposes, I do not really want to pay extra. And there are very few dynamic DNS providers that allow to use own domain names and even less of them allow wildcard domains. So I am very limited here, but I may migrate if I find other similar provider or cheap enough paid.

Cool, for info Cloudflare is actually free for basic DNS hosting (you don't need to use them as a registrar, they just run the namesevrers, plus you then get free caching), their API is generally well supported also.

Thank you again for information. I've done a small search and found out, that Cloudflare offers free dynamic DNS and supports wildcards. If I would be forced to move now there is a backup plan.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.