Vhosts aren't generating .pem keychain. How to fix that?

bjordanov · February 15, 2020, 9:05am

What I want to achieve. Let’s say I have like 10 domains and most of them are using a CDN network. I configured a brand new VPS and want to be able to renew them with “certbot --auto” which I was doing previously on another server and everything went smooth.

I ran this command: certbot certonly --manual -d mydomainname.com -d www.mydomainname.com --preferred-challenges=“dns”
It produced this output:
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomainname.com
dns-01 challenge for www.mydomainname.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested thiscertificate. If you're running certbot in manual mode on a machine that is notyour server, please ensure you're okay with that.

Are you OK with your IP being logged?
-----------------------

I press Y copy and paste the values to the TXT records and it says “Congratulations!” everything goes smooth here.

Now I know that it uses installer NONE and maybe this is where my problem is but I remember before using Certbot on another server it automatically generated it’s chain.pem output in the le-ssl.conf files in the vhosts. Now I want it to do the same. I don’t know how to force it to put the configuration into my vhosts. My browser says:

Your connection is not private

I manually created the vhosts files but I want the chain to be inside them by default every time I issue a new command with a DNS challange.

I’m using a CDN.

If I try “certbot --auto” and the select just the domain I issued the certificate it gives me this:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

My web server is (include version): Debian 9
I can login to a root shell on my machine: Yes
I’m using a control panel to manage my site:no
The version of my client is certbot --version: 0.28.0 / certbot-auto --version: 1.2.0

JuergenAuer · February 15, 2020, 9:15am

Hi @bjordanov

the command may be

certbot-auto

one token. With a space, it's certbot with an unknown authenticator (starts with --a).

And if you want to install your manual created certificate: Remove certonly and add something like

-i nginx
-i apache

https://certbot.eff.org/docs/using.html#certbot-command-line-options

bjordanov · February 15, 2020, 10:17am

Ok, thanks! I’ll try that. What if I want to autoamtically renew both certificates automatically will it still work and if yes which is the best way to renew them automatically. Thanks once again!

JuergenAuer · February 15, 2020, 11:52am

No, it will not work. You use --manual.

Your dns provider must have an API if you want to automate that. And Certbot must support that API. If your dns provider has an API, but Certbot doesn't support that, check acme.sh if there is a support.

system · March 16, 2020, 11:52am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.