Wildcard certificate not renewed

My domain: forcing-project.com

I run:
# sudo certbot --verbose renew --dry-run

I get the following:

https://privatebin.net/?a7c839d20c9f84f3#KcNCHg9tIxCUvyi56RMV1O8kGVSoI37hetF8uQx8zuY=

My system:

#uname -a
Linux ubuntu-2gb-nbg1-forcing 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

/usr/bin/certbot --version
certbot 0.28.0

# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: forcing-project.com
    Domains: forcing-project.com *.forcing-project.com
    Expiry Date: 2019-05-29 20:18:07+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/forcing-project.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/forcing-project.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# cat /etc/letsencrypt/renewal/forcing-project.com.conf
# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/forcing-project.com
cert = /etc/letsencrypt/live/forcing-project.com/cert.pem
privkey = /etc/letsencrypt/live/forcing-project.com/privkey.pem
chain = /etc/letsencrypt/live/forcing-project.com/chain.pem
fullchain = /etc/letsencrypt/live/forcing-project.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
certbot_plugin_gandi:dns_propagation_seconds = 60
authenticator = certbot-plugin-gandi:dns
account = 6c0ba15520a78c5839598bbb65560a68
server = https://acme-v02.api.letsencrypt.org/directory
certbot_plugin_gandi:dns_credentials = [/path/to/]gandi.ini

Ideas why cerbot thinks the TXT record is incorrect? Any help is appreciated.

Maybe try setting --certbot-plugin-gandi:propagation-seconds to something higher than 60 seconds? Maybe 600?

60 seconds is a little bit risky when it comes to making multiple updates - sometimes the first changeset will be applied to the nameservers quickly and the second one will take longer, due to batching. Having a longer one shouldn’t affect you too badly as it will usually happen in the background.

I’m not too sure if that’s the correct way to pass that parameter for a third party plugin, you might need to ask the plugin owner to clarify on that point.

Thank you for the suggestion. I can pass the parameter with the plugin, in fact I tried 240 seconds with no result beforehand. I will try 600 seconds and report back.

So, I tried with the parameter certbot_plugin_gandi:dns_propagation_seconds = 600.

Still the same problem:

2019-03-04 14:43:02,711:WARNING:certbot.renewal:Attempting to renew cert (forcing-project.com) from /etc/letsencrypt/renewal/forcing-project.com.conf produced an unexpected error: Failed authorization procedure. forcing-project.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “R3yhTyRMuTG_xs5LDR1v_GzPYX-ivjBs4U9K4p-TClc” found at _acme-challenge.forcing-project.com. Skipping.

See the new letsencrypt log https://privatebin.net/?3ec57218623b284f#VSGBitATkt0q6inLqXWkUpdTShEeQJ3y2HaKmfjJ7Wg=

Any ideas of how I could troubleshoot this?

Just spitballing, but could the problem be that my certificate is for both a domain (forcing-project.com) and a wildcard subdomain (*.forcing-project.com)?

I suggested a fix. Happily, it seems like no messing around with propagation delay is needed at all - the default 10 seconds seems to work fine.

3 Likes

Thanks @_az, this is great. It fixes the main problem. Since this is obviously a shortcoming of certbot-plugin-gandi, let’s continue the discussion over there.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.