I have a Let's Encrypt wildcard certificate which was obtained with the DNS challenge. In the meantime I migrated the webapp and the certificate to a new server, where renewing that certificate fails.
$ certbot renew --preferred-challenges dns --standalone
Processing /etc/letsencrypt/renewal/dedacted.de-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer nginx
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (dedacted.de-0001) from /etc/letsencrypt/renewal/dedacted.de-0001.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
These is the config file:
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/dedacted.de-0001
cert = /etc/letsencrypt/live/dedacted.de-0001/cert.pem
privkey = /etc/letsencrypt/live/dedacted.de-0001/privkey.pem
chain = /etc/letsencrypt/live/dedacted.de-0001/chain.pem
fullchain = /etc/letsencrypt/live/dedacted.de-0001/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = dedacted
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
installer = nginx
I tried different options for the renewing command but had no success.
This is the last debug log:
2021-12-14 11:10:00,631:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 14 Dec 2021 10:10:00 GMT
Content-Type: application/json
Content-Length: 384
Connection: keep-alive
Boulder-Requester: 110278569
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: dedacted
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "dedacted.de"
},
"status": "pending",
"expires": "2021-12-20T14:57:56Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/dedacted/dedacted",
"token": "dedacted"
}
],
"wildcard": true
}
2021-12-14 11:10:00,632:DEBUG:acme.client:Storing nonce: dedacted
2021-12-14 11:10:00,632:INFO:certbot.auth_handler:Performing the following challenges:
2021-12-14 11:10:00,632:WARNING:certbot.renewal:Attempting to renew cert (dedacted.de-0001) from /etc/letsencrypt/renewal/dedacted.de-0001.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
2021-12-14 11:10:00,635:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 462, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1208, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 320, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 62, in handle_authorizations
achalls = self._choose_challenges(authzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 206, in _choose_challenges
self._get_chall_pref(authzr.body.identifier.value),
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 229, in _get_chall_pref
raise errors.AuthorizationError(
certbot.errors.AuthorizationError: None of the preferred challenges are supported by the selected plugin
Did I miss to install something for supporting wildcard certificated or did something change and it is not supported anymore the way it was?
Well, here is what I can tell from what you are doing. You already had a working certificate that was generated using the
certbot nginxplugin. Now, you've relocated your server and config to a new server and want to renew the certificate. My advice is to use the nginx plugin again by adding--nginxto your command for the renewal. I suspect that because it is not included, certbot is raising the error of the plugin used is not supported.If that does not work, I will suggest that you remove the old configuration you copied onto the new server and run certbot to create a new certificate with its own config for you.