Wildcard SSL renewal failing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: flux.garden

I ran this command: sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual --preferred-challenges dns -d 'flux.garden,*.flux.garden'

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for flux.garden

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.flux.garden with the following value:

4HUtWKHayiysi2mO6KeV3VKSpWn5rz18k3DoF7gX6Uo

Before continuing, verify the record is deployed.

Copied/pasted the value over the old/existing value for that TXT entry in the DigitalOcean dns UI, then

Waiting for verification...
Challenge failed for domain flux.garden

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04 (LTS) x64

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes for DNS, no for anything else

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Dumb question: am I supposed to wait between pasting the TXT value in (and submitting) before I hit for verification? How long? One time I think I waited too long and it jump gave me a new value to enter....

FYI additional notes/progress (new and old) are at (2021-07-20) Renewing SSL - WebSeitz/wiki

If you're doing this manually, a few minutes.

However, on Ubuntu 20.04, you have another option. You can install the DigitalOcean plugin:

sudo apt install python3-certbot-dns-digitalocean

and then follow the instructions here to renew your certificate.

The upside to doing this is that it will be completely automatic, and you won't need to do any of this TXT record copy-pasting business every 60-90 days. I highly recommend taking that approach over the manual approach.

1 Like

It looks like waiting 2min was all it took.

I'll try the plugin next time, thanks!

1 Like

Dumb follow-up - if I check the cert with SSL Server Test: flux.garden (Powered by Qualys SSL Labs) it doesn't show the new expiration date. Do I need to restart nginx?

Oh wait, it looks like there's a 2nd cert, with the later date?

Yes. Usually you'd add something to your Certbot command like:

--post-hook "service nginx reload"

so it does it for you.

2 Likes

OR
--deploy-hook