I already setup certbot on a debian system to get wildcard certificates and I could happily get a few certificates for a few quarters.
But since a few months 2 out of the 3 domains I'm managing for a friend are unable to get renewed.
The failure message is:
Simulating renewal of an existing certificate for *.example.com and example.com
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Detail: Incorrect TXT record "......." (and 1 more) found at _acme-challenge.example.com
Detail: Incorrect TXT record "..." (and 1 more) found at _acme-challenge.example.com
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.
Failed to renew certificate example.com with error: Some challenges have failed.
I usually produce "standalone" certificates that I securely communicate to the friend that he can deploy on his self-hosted server.
I'm using certbot 1.29.0:
$ certbot --version certbot 1.29.0
Before being able to sucessfully generate a wildcard certificate, I had to dig into the internet for a while.
I'm using certbot and acme-dns-auth.py.
A quite good and concise tutorial among many can be found there: How To Acquire a Let's Encrypt Certificate Using DNS Validation with acme-dns-certbot on Ubuntu 18.04.
For each domain there is a CNAME Resource Record pointing to auth.acme-dns.io. :
_acme-challenge CNAME 1800 xxxxxxxxx.auth.acme-dns.io.
This suppress the need to manually setup a TXT resource record and wait for its propapagation.
Some of the commands I could use successfully are:
$ sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.example.com -d example.com
$ sudo certbot renew
The failure when renewing some wildcard certificates seems related to the TXT resource record (automated via CNAME resource record pointing to xxx.auth.acme-dns.io.)
Now, I just checked the CNAME resoure record for these three domains.
I can see an anomaly: the two domains that have failure for getting certificate renewal have the same CNAME RR! Who did that?...
From there, I deleted one domain managed by certbot which certificate renewal failed.
$ sudo certbot delete --cert-name example1.com
$ sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.example1.com -d example1.com
I hoped to be requested to add a new CNAME, say:
Please add the following CNAME record to your main DNS zone: _acme-challenge.subdomain.your-domain CNAME 8450fb54-8e01-4bfe-961a-424befd05088.auth.acme-dns.io.
But I just encountered a failure message introduced herebefore.
Let's assume getting a new unique CNAME for each of these 2 domains is the solution.
Do you agree?
If you agree, can you tell me how to do that?