I was away when CTW/CCM wanted to renew my cert for the first time, so missed the “add CNAME message” by about a week. I’ve now added the CNAME (_acme-challenge.drumlinsecurity.net) but when CCM tries to renew I get the message:
Fail to load resource from 'https://acme-v02.api.letsencrypt.org/acme/order/2065831307/347594726465'.
urn:ietf:params:acme:error:malformed: No order for ID 347594726465
Seems the delay in adding the CNAME has caused the LE order to expire. How can I get a new order to renew the cert, hopefully without starting all over with a new cert…
Let’s Encrypt have recently reduced the amount of time they allow for orders to be paused before they delete them and this results in problems like this where the app is trying to resume an order that’s no longer recognized by the CA.
If you try the order multiple times it should gie up trying to resume the order and start a new order but if not you can use Certificate > Advanced > Actions > Reset Failure Status, then Save and click Request Certificate to start again.
I see those sites go to two different servers/IPs so presumably that’s why you’re not using standard HTTP domain validation.
A single managed certificate can have many domains included but each domain needs to be validated by the CA individually. If you were just using HTTP domain validation (the default) that would all happen automatically if all domains pointed to the same server (running Certify, which can then answer on your behalf).
You can even mix and match HTTP and domain validation in one cert as required by adding multiple configurations under Authorization, and set the Domain Match rule (which you only need to do when you require different validation configurations for different domains).
For acme-dns specifically, if you set the Authorization method to dns-01, select ACME-DNS as the provider, then request your cert, for each domain you will be asked to create a specific CNAME record pointing to the ACME-DNS service you are using. If you missed the CNAME you should be using you can review your log file (on the Status tab) and scan through that for the latest mentions of _acme-challenge.
Note that if you moved your DNS hosting to a supported provider like Cloudflare or AWS route 53 you wouldn’t have to use acme-dns or similar to achieve DNS automation.
Note that if you are a licensed customer you can get private support via email to support at certifytheweb.com and you’ll usually get a faster answer there (and you can share logs etc to help). The community forum is mainly for public questions or support for unlicensed community users.