Unable to renew wildcard

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=casecast.ru), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: casecast.ru

I ran this command: /opt/certbot/certbot-auto renew

It produced this output:
[root@vmi281003 .well-known]# /opt/certbot/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/casecast.ru.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (casecast.ru) from /etc/letsencrypt/renewal/casecast.ru.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/casecast.ru/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/casecast.ru/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: vps

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.38.0

2

Please post:

  • The output of /opt/certbot/certbot-auto certificates

  • The contents of /etc/letsencrypt/renewal/casecast.ru.conf

  • The contents of /etc/letsencrypt/cli.ini

3

Hi @xnext40

if you want to create a wildcard certificate, you can't use webroot.

Looks like you have used --manual, so use the complete command again (not renew).

4

how to possible create wildcard cert and then renew?

5

Use the same command you have used to create the certificate.

6

same command this manual update, i need to automatic update if possible
why i can`t use webroot for wildcard update?

7

Found the following certs:
Certificate Name: casecast.ru
Domains: casecast.ru *.casecast.ru
Expiry Date: 2019-10-14 11:30:28+00:00 (VALID: 25 days)
Certificate Path: /etc/letsencrypt/live/casecast.ru/fullchain.pem
Private Key Path: /etc/letsencrypt/live/casecast.ru/privkey.pem

  1. renew_before_expiry = 30 days
    version = 0.36.0
    archive_dir = /etc/letsencrypt/archive/casecast.ru
    cert = /etc/letsencrypt/live/casecast.ru/cert.pem
    privkey = /etc/letsencrypt/live/casecast.ru/privkey.pem
    chain = /etc/letsencrypt/live/casecast.ru/chain.pem
    fullchain = /etc/letsencrypt/live/casecast.ru/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
domains = casecast.ru
account =
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path =/var/www/casecast.ru/html,
manual_public_ip_logging_ok = True
manual_auth_hook = /opt/certbot/scripts/auth.sh
manual_cleanup_hook = /opt/certbot/scripts/clean.sh
pref_challs = http-01
[[webroot_map]]
zabbix.casecast.ru = /var/www/zabbix.casecast.ru/html/
casecast.ru = /var/www/casecast.ru/html/
3.
cat: /etc/letsencrypt/cli.ini: No such file or directory

8

You must use the dns-01 challenge for wildcard certificates. The certbot error output even states this.

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

Check out this document for help using the dns-01 challenge.
https://certbot.eff.org/docs/using.html#dns-plugins

If you’d like to obtain a wildcard certificate from Let’s Encrypt or run certbot on a machine other than your target webserver, you can use one of Certbot’s DNS plugins.

9

Then you need a dns provider with an API and a client with a support of that API.

Checking your domain - https://check-your-website.server-daten.de/?q=casecast.ru - you have a reg.ru name server.

acme.sh supports an API.

81. Use reg.ru API

1 Like
10

hmm
I got it that without dns confirmation is it impossible via webroot?

11

You are mixing some things.

Read

12

Let’s Encrypt doesn’t let you use this challenge to issue wildcard certificates. for HTTP-01 challenge

  1. thx for acme.sh, but my registar sending api access very slow, i changed dns to cloudflare
    i try to automate process via cloudflare
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.