I am an old user of letsencrypt that just found out that my old way of renewing my set of certificated is no longer supported.
When running the usual “certbot renew” command, that was manually renewing my certificates, resulted in the error:
2019-04-06 17:38:19,072:WARNING:certbot.renewal:Attempting to renew cert (blog.voina.org) from /etc/letsencrypt/renewal/blog.voina.org.conf produced an unexpected error:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.
Looking on the Internet I found out that due to security issues the TLS-SNI-01 validation support that I was using was fazed out. Of course my certificates had to expire in the first week of April 🙂
See here the announcement for End-of-Life for All TLS-SNI-01 Validation Support
Then I decided to see how can I use the new wildcard domain certificate feature from letsencrypt. That would mean that I can use a single certificate for all my subdomains.
Here bellow is the log of command to manually issue a wildcard domain certificate. Note that –manual is for manual mode (make sure to stop your http server before running this command), –preferred-challenges dns will expect the challenge as a dns TXT entry :
[root@nas1 ~]# certbot certonly --manual --preferred-challenges dns Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): voina.org, *.voina.org Obtaining a new certificate Performing the following challenges: dns-01 challenge for voina.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.voina.org with the following value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/voina.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/voina.org/privkey.pem Your cert will expire on 2019-07-05. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Important to note that when you get to line 23 you will have to connect to your domain registrar and add to the DNS entry for your domain the TXT key as intructed. In my case I connected to cPanel and edit this on the page of the registrar. Make sure to see the entry active and wait some time to make sure the DNS entry is propagated.
As you can see above from now on I can renew my wildcard certificate using the same “certbot renew” command. It turns out this is not true !!!
In fact the only way to renew is the following:
certbot certonly --manual -d 'voina.org, *.voina.org' --preferred-challenges dnsIt seems the –manual is the problem here. If I tried “certbot renew” I got the error:
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (voina.org) from /etc/letsencrypt/renewal/voina.org.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/voina.org/fullchain.pem (failure)
Update: I moved my DNS provider to NamesCheap. The one and only thing where you have to be careful: DO NOT add the TXT entries as “_acme.voina.org”. NamesCheap by default adds the domain prefix to the TXT entry. So the correct TXT entry in the form from the web is:
Name: _acme , Value: provided key
I lost several days with this 🙂
One of the great advantages of using a DNS challenge is that you do not have to do the procedure of issuing the certificate on the actual web server machine. You can use any machine connected to the internet and then copy the certificate and keys on your server.