In order to revew Let's Encrypt wildcard certificates (via not HTTP-01 challenge but DNS-01 challenge) with certbot, all what to do is to follow the same process of the first time.
Just run:
# certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.<your-domain>" -d <your-domain>
The result begins with:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for <your-domain>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
and then is followed by:
Please deploy a DNS TXT record under the name
_acme-challenge.<your-domain> with the following value:
<txt-record-value-given>
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Write <txt-record-value-given> into the DNS TXT record named "_acme-challenge" of the domain.
After a while, press Enter.
The result is:
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/<your-domain>/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/<your-domain>/privkey.pem
Your cert will expire on 2019-10-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now it's done :)
Besides, if you use:
# certbot renew
the error occurs:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<your-domain>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (<your-domain>) from /etc/letsencrypt/renewal/<your-domain>.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
Oldest comments (13)
Hi,
is it possible to renew wildcard domain automatically without dns intervention?
Hi, Edi,
@daniel15 kindly told me there is help named "acme-dns" :)
The overview described in github repository is:
Relatively, it seems more difficult than to use
certbot renewand cron.Besides, I haven't used it yet because I'm moving to OpenBSD's acme-client.
Heddi, thanks for sharing your tutorial. Reading trough the manual, doesn't seem like the openbsd acme-client supports DNS challenge. Any thoughts?
Hello, Rafael.
Sorry that I knew little about non-http-01 challenges with OpenBSD's
acme-client.You might be perhaps right. acme-client's documentation says:
According to the original writer, Kristaps, it had
-toption to use custom challenges, but they were "too system-specific to provide in a safe manner".Thanks!
LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?
DevTo
[+] dev.to/dineshrathee12/letsencrypt-...
GitHub
[+] github.com/dineshrathee12/Let-s-En...
LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...
The second domain (the one without the wildcard) is no longer necessary, if you type it, certbot will ask for two challenges for the same record so it will fail, it should be just like this:
# certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.<your-domain>"Hello, Juan. Thank you very much for your information 😃
Well, excuse me but I wonder why I succeeded in renewing with multiple
-doptions of subdomains and domain last week. Therefore, I don't know if I should edit my posts...🤔Would you mind if I ask some official documentation or release information? I'm sorry I couldn't find anything in eff.org, letsencrypt.org and certbot.eff.org.
I'm not sure if it's documented in any other site, it's just that happened to me. I remember your command worked for me some months ago, but this time (yesterday) only had to do the wildcard one.
Juan, thank you again for the detail. I understand what happened.
I'll try by myself again in a couple of weeks and check the result 😉
@jgutix
Hello, I have finished my latest trial 😃 It was successful today.
I got the same messages you put as image above. I prepared 2 DNS TXT records, waited for a while and then pressed Enter.
Is it possible DNS propagation affects your results: failure first and success next? Hmm, I know, however, you succeeded some months ago. it's just one of my suppositions... 🤔
@nabbisen forgot to update this, so it turns out it didn't actually renew the root cert, only renew the wildcard since that's the one I ran the command for. This means I had to run twice, one for each wildcard and root domains. But you're saying you only ran the same one? But how so if the DNS record is the same with different values? Maybe you update your post to explain that process, I for one don't know how to do it.
@jgutix
Hello. I'm sorry for my late reply.
As I wrote in my post:
I used two
-doptions at the same time. For example, it wascertbot ... -d "*.some.domain" -d some.domain ....Does it mean to "run twice, one for each wildcard and root domains" as you wrote🙂?