Hi,
I already setup certbot on a debian system to get wildcard certificates and I could happily get a few certificates for a few quarters.
But since a few months 2 out of the 3 domains I'm managing for a friend are unable to get renewed.
The failure message is:
Processing /etc/letsencrypt/renewal/example.com.conf
Simulating renewal of an existing certificate for *.example.com and example.com
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: example.com
Type: unauthorized
Detail: Incorrect TXT record "......." (and 1 more) found at _acme-challenge.example.comDomain: example.com
Type: unauthorized
Detail: Incorrect TXT record "..." (and 1 more) found at _acme-challenge.example.comHint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.
Failed to renew certificate example.com with error: Some challenges have failed.
I usually produce "standalone" certificates that I securely communicate to the friend that he can deploy on his self-hosted server.
I'm using certbot 1.29.0:
$ certbot --version
certbot 1.29.0
Before being able to sucessfully generate a wildcard certificate, I had to dig into the internet for a while.
I'm using certbot and acme-dns-auth.py.
See acme-dns-certbot-joohoi.
A quite good and concise tutorial among many can be found there: How To Acquire a Let's Encrypt Certificate Using DNS Validation with acme-dns-certbot on Ubuntu 18.04.
For each domain there is a CNAME Resource Record pointing to auth.acme-dns.io. :
_acme-challenge CNAME 1800 xxxxxxxxx.auth.acme-dns.io.
This suppress the need to manually setup a TXT resource record and wait for its propapagation.
Some of the commands I could use successfully are:
$ sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.example.com -d example.com
$ sudo certbot renew
The failure when renewing some wildcard certificates seems related to the TXT resource record (automated via CNAME resource record pointing to xxx.auth.acme-dns.io.)
=
Now, I just checked the CNAME resoure record for these three domains.
I can see an anomaly: the two domains that have failure for getting certificate renewal have the same CNAME RR! Who did that?...
From there, I deleted one domain managed by certbot which certificate renewal failed.
$ sudo certbot delete --cert-name example1.com
Then doing:
$ sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.example1.com -d example1.com
I hoped to be requested to add a new CNAME, say:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.subdomain.your-domain CNAME 8450fb54-8e01-4bfe-961a-424befd05088.auth.acme-dns.io.
But I just encountered a failure message introduced herebefore.
Let's assume getting a new unique CNAME for each of these 2 domains is the solution.
Do you agree?
If you agree, can you tell me how to do that?
Thanks.
The latter isn't hard (quite easy frankly), but the former is perhaps more difficult 