I use the following command to issue wildcard certificates:
certbot-auto certonly --email $EMAIL --manual -d *.$DOMAIN -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Today I’m getting this error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "firstname.lastname@example.org": Domain name contains an invalid character
Please see the logfiles in /var/log/letsencrypt for more details.
And I found this in the log, wrong value for the dns (
email@example.com here is not real.
read your output: Your $DOMAIN value is wrong.
A second possibility may be that
*.$DOMAIN is being expanded by the shell to an unexpected value.
Wrapping it in quotes may help:
Nope, I'm sure about the domain.
Same error even by replacing the $DOMAIN variable with exact domain.
I'm just wondering why there are two entries for
dns in the log. Actually
firstname.lastname@example.org is wrong and I don't know where does it come from!
grep "main:Arguments" /var/log/letsencrypt/letsencrypt.log
A long list but the wrong domain is there! What is
main:Arguments and what I can I do with that?
That’s the log line of how Certbot translated your command line arguments.
Here’s an even lower level debugging technique. This will show
exactly what your shell sent to Certbot, after the
$VARIABLES have been substituted, but before Certbot receives any input:
strace -e trace=execve -s 1024 certbot-auto certonly --email $EMAIL --manual -d "*.$DOMAIN" -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
$ strace -e trace=execve -s 1024 certbot-auto certonly --email $EMAIL --manual -d "*.$DOMAIN" -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d foo.bar
execve("/usr/local/bin/certbot-auto", ["certbot-auto", "certonly", "--email", "email@example.com", "--manual", "-d", "*.mydomain.online", "-d", "mydomain.online", "--agree-tos", "--manual-public-ip-logging-ok", "--preferred-challenges", "dns-01", "--server", "https://acme-v02.api.letsencrypt.org/directory", "-d", "foo.bar"], 0x7fff8e69a360 /* 26 vars */) = 0
What I’m trying to get at is that the input is probably wrong long before Certbot sees it. What you can do about it is to 1) confirm what the actual input is and 2) fix your input as required.
If you are running a common shell like bash, you can also try
set -o xtrace
and it will print very verbosely what it is running.
It turned out that
-d *.mydomain.online is not valid any more and it should be wrapped in quotes, as you stated, but it’s not about shell. I’m just confused what has changed! I was using this command for a long time.
Thank you anyway.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.