Upgraded to snap and now have problems

I've been using certbot-auto without problems. I've just upgraded to the snap version and it fails. I've also tried

certbot renew --dry-run --preferred-challenges=dns
certbot renew --apache --dry-run --preferred-challenges=dns

which also fail differently.

My domain is: sipitpro.com

I ran this command:

certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mydomain.com-0001.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer None
Simulating renewal of an existing certificate for mydomain.com and 4 more domains
Performing the following challenges:
http-01 challenge for mydomain.com
http-01 challenge for gui.mydomain.com
http-01 challenge for reports.mydomain.com
http-01 challenge for sp5.mydomain.com
http-01 challenge for www.mydomain.com
Waiting for verification...
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/mydomain.com-0001/fullchain.pem



Processing /etc/letsencrypt/renewal/mydomain.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer None
Simulating renewal of an existing certificate for *.mydomain.com and mydomain.com
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Failed to renew certificate mydomain.com with error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.


The following simulated renewals succeeded:
/etc/letsencrypt/live/mydomain.com-0001/fullchain.pem (success)

The following simulated renewals failed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

My web server is (include version):
apache 2.4

The operating system my web server runs on is (include version):
Debian 10 (Buster)

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0

1 Like

Did you also install the appropriate snap certbot DNS plugin?

Check with certbot plugins

2 Likes

Thanks, doesn't look like it - how do I install?:

certbot plugins

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

* apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT

* nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
2 Likes

Please follow the appropriate guide on https://certbot.eff.org, i.e., in your case click on the wildcard tab above the instructions (next to "default"):

It would be nice if the wildcard tab can be directly linked to with #wildcard for example. This is a know issue, but unfortunately not implemented yet.

Note: you only need the parts related to plugins as you already have the certbot snap installed.

2 Likes

Thanks Osiris, all working now.

3 Likes

Note for future reference by the way: if you use options like --preferred-challenges=dns and --apache with the renew subcommand, it might overwrite stored renewal options for certain certificates which were obtained with different options, as certbot will try to renew any certificate due for renewal if you don't specify one or more certificates with --cert-name.

3 Likes