Unable to renew my certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: designtools.hiwin.com

I ran this command in my cron job script for automated renewal:
sudo certbot renew --quiet --post-hook "systemctl reload nginx"

It produced this output:

image1870×1080 234 KB

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

Certificate info-
sudo cat /etc/letsencrypt/renewal/designtools.hiwin.com.conf

# renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/designtools.hiwin.com
cert = /etc/letsencrypt/live/designtools.hiwin.com/cert.pem
privkey = /etc/letsencrypt/live/designtools.hiwin.com/privkey.pem
chain = /etc/letsencrypt/live/designtools.hiwin.com/chain.pem
fullchain = /etc/letsencrypt/live/designtools.hiwin.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = e679833999d7b9adb42b218f1b5c1581
pref_challs = dns-01,
authenticator = manual
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

I was unable to previously authenticate the domain with HTTP-01 challenge and hence did manually with the DNS-01 challenge

The Certbot renew command cannot renew certs that were created manually. Those require manual intervention (in your case adding a DNS TXT record) and cannot be automated without provided a --manual-auth-hook and related code.

It looks like you are geo-blocking HTTP requests so that is probably why an HTTP Challenge failed. See: Let's Debug

If you want recommendations about that see: Multi-Perspective Validation & Geoblocking FAQ

But, you are using Cloudflare as your DNS provider. You should be able to use the DNS plugin for that to replace your wildcard cert. See:

https://certbot-dns-cloudflare.readthedocs.io/en/stable/

I ran the following, saving the token in the cloudflare.ini-
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d designtools.hiwin.com

I got this error-
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for designtools.hiwin.com
Encountered CloudFlareAPIError adding TXT record: 10000 Authentication error
Error communicating with the Cloudflare API: Authentication error

I don't know. If you setup the API token and configured it according to that page I linked earlier it should work. You may need to ask on the Cloudflare community. Or possibly some other volunteer here will know.

Some people accidentially use the config statements for the api key and not the api token.

Check this thread they had the same error message for a different reason: Cloudflare API not getting authenticated by LetsEncrypt on Home Assistant - #4 by _az

Check any restrictions like IP restrictions you may have placed in Cloudflare.

Thank you, I was able to make it work by fixing the permissions.
The link you provided doesn't talk about the renewal command- Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation

To renew when there's less than 1 month left, should I run-
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials $CLOUDFLARE_INI -d $DOMAIN --non-interactive --agree-tos --quiet

or

sudo certbot renew --quiet --post-hook "systemctl reload nginx"

Glad you found the permissions problem.

You need to do the command below. The renew command uses your renewal profile settings. Your current renewal settings are for your original manual DNS Challenge. If command below is successful it gets a new cert and updates the renewal profile with these settings. Future renew commands will then use that.

You should probably add a --deploy-hook to this. Better practice than using it on the renew command

After this works you can test the next renew by running this. It will not affect your production certs.

sudo certbot renew --dry-run

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.