I’ve used LetsEncrypt for a number of years on various sites. Recently I came across a problem I just don’t understand. SSL renewal with LetsEncrypt is supposed to be straightforward. The procedure I use to create wildcard certificates is as follows –
certbot certonly --manual --preferred-challenges dns -d dannyhorne.com -d *.dannyhorne.com
Certbot will then ask you to add two TXT records to your DNS for the domain. It asks you to do it twice in this case because wildcard certificates don’t routinely protect the root domain (dannyhorne.com in my case), so both root and wildcard domain have to be entered into the request so they’re both added to the certificate. This will create a wildcard certificate which will last for three months. It’s important to understand the this certificate will NOT automatically renew when it’s close to expiring.
The next stage, which usually works for me is to execute the following command –
certbot --nginx --server https://acme-v02.api.letsencrypt.org/directory -d dannyhorne.com -d *.dannyhorne.com certonly
I use the ‘certonly’ option because I don’t want certbot messing with my NginX configuration. This should (and did in my case) produce the following output –
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/dannyhorne.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/dannyhorne.com/privkey.pem
This certificate expires on 2023-09-19.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Note the text ‘These files will be updated when the certificate renews’. This, you would think, means that you no longer have to worry about managing the renewal process for this domain. Unfortunately, and for reasons I haven’t figured out yet, for this particular domain that isn’t the case. When I run the following command which simulates renewal for all my domains I get an error on just this one
certbot renew -v --dry-run
Processing /etc/letsencrypt/renewal/dannyhorne.com.conf
Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for dannyhorne.com and *.dannyhorne.com
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Failed to renew certificate dannyhorne.com with error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
I’m currently at a loss to understand why I get this error on just this domain, I use the same procedure on other domains to create wildcard certificates and get no errors.
This has got me stumped!! As I said, SSL renewal with LetsEncrypt is supposed to be straightforward. I hope to be returing to this with some answers.
[…] SSL renewal with LetsEncrypt […]