Cannot generate wildcard cert, with previous cert

antalaron · August 5, 2020, 12:19pm

hi all,

i had previously generated a cert with the following command.

certbot certonly --webroot -w /var/www/letsencrypt/ -d somesubdommain.mydomain.com -d mydomain.com

it generated a cert named somesubdommain.mydomain.com.

it worked perfectly. but we made some changes in our ns, so we can access the api through myauthenticate.sh and mycleanup.sh. they work perfectly on every domain we manage.

but this command on this machine:

certbot certonly --preferred-challenges=dns-01 --manual --manual-auth-hook myauthenticate.sh --manual-cleanup-hook mycleanup.sh -d '*.mydomain.com,mydomain.com' --manual-public-ip-logging-ok

returns the wollowing error:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

on other servers this command (without the previously generated http-01 generated cert) generates the wildcard domain.

i tried deleting the http-01 cert (certbot delete) and generate the dns-01 cert. but the same error was given.

# certbot --version
certbot 0.28.0

stevenzhu · August 5, 2020, 12:30pm

Hi,

Can you try certbot certonly --preferred-challenges dns --manual --manual-auth-hook myauthenticate.sh --manual-cleanup-hook mycleanup.sh -d '*.mydomain.com' -d mydomain.com --manual-public-ip-logging-ok ?
I think -d argument wants one hostname per call... (and the preferred-challenge might be dns instead of dns-01)

antalaron · August 5, 2020, 12:34pm

it works in this form on other domains. but i retried with separate -d s, and dns instead of dns-01 preferred challenge. without any success.

(btw. man certbot says: ACME Challenges are versioned, but if you pick “http” rather than “http-01”, Certbot will select the latest version automatically. and: -d For multiple domains you can use multiple -d flags or enter a comma separated list of domains as a parameter.)

stevenzhu · August 5, 2020, 12:36pm

In this case, can you check what version of certbot other servers are running?
They might be on a higher version...

antalaron · August 5, 2020, 12:37pm

same. and this server generates wildcard perfectly on other domains

stevenzhu · August 5, 2020, 12:40pm

Can you share your debug log located at /var/log/letsencrypt? (Please remove any sensitive entry if necessary, but keep the letsencrypt API url)

antalaron · August 5, 2020, 12:46pm

run with -vvv, superverbose:

Root logging level set at -10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator manual and installer None
Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0x7f3b6f59e940>
Prep: True
Selected authenticator <certbot.plugins.manual.Authenticator object at 0x7f3b6f59e940> and installer None
Plugins selected: Authenticator manual, Installer None
Picked account: <Account(xxx)>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 12:41:16 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "06j4-6EhKn0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Obtaining a new certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 12:41:16 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: xxx
JWS payload:
b'{\n  "identifiers": [\n    {\n      "value": "*.mydomain.com",\n      "type": "dns"\n    },\n    {\n      "value": "mydomain.com",\n      "type": "dns"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "signature": "xxx",
  "payload": "xxx",
  "protected": "xxx"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 491
Received response:
HTTP 201
Server: nginx
Date: Wed, 05 Aug 2020 12:41:16 GMT
Content-Type: application/json
Content-Length: 491
Connection: keep-alive
Boulder-Requester: 7105090
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/7105090/126865630
Replay-Nonce: xxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "ready",
  "expires": "2020-08-12T12:41:16.729773503Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.mydomain.com"
    },
    {
      "type": "dns",
      "value": "mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/85648660",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/84354691"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/7105090/126865630"
}
Storing nonce: xxx
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/85648660:
{
  "signature": "xxx",
  "payload": "",
  "protected": "xxx"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/85648660 HTTP/1.1" 200 478
Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 12:41:16 GMT
Content-Type: application/json
Content-Length: 478
Connection: keep-alive
Boulder-Requester: 7105090
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "mydomain.com"
  },
  "status": "valid",
  "expires": "2020-08-29T15:02:53Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/85648660/JgAJPg",
      "token": "xxx",
      "validationRecord": [
        {
          "hostname": "mydomain.com"
        }
      ]
    }
  ],
  "wildcard": true
}
Storing nonce: xxx
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/84354691:
{
  "signature": "xxx",
  "payload": "",
  "protected": "xxx"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/84354691 HTTP/1.1" 200 1022
Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 12:41:17 GMT
Content-Type: application/json
Content-Length: 1022
Connection: keep-alive
Boulder-Requester: 7105090
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "mydomain.com"
  },
  "status": "valid",
  "expires": "2020-08-27T15:09:31Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/84354691/rLOjVw",
      "token": "3kv2MQ9sEwix4lmZ4fiWc4zfsDU0PwV_0xIWTeByHSY",
      "validationRecord": [
        {
          "url": "http://mydomain.com/.well-known/acme-challenge/3kv2MQ9sEwix4lmZ4fiWc4zfsDU0PwV_0xIWTeByHSY",
          "hostname": "mydomain.com",
          "port": "80",
          "addressesResolved": [
            "xxx.xxx.xxx.xxx"
          ],
          "addressUsed": "xxx.xxx.xxx.xxx"
        },
        {
          "url": "https://mydomain.com/.well-known/acme-challenge/3kv2MQ9sEwix4lmZ4fiWc4zfsDU0PwV_0xIWTeByHSY",
          "hostname": "mydomain.com",
          "port": "443",
          "addressesResolved": [
            "xxx.xxx.xxx.xxx"
          ],
          "addressUsed": "xxx.xxx.xxx.xxx"
        }
      ]
    }
  ]
}
Storing nonce: xxx
Performing the following challenges:
dns-01 challenge for mydomain.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1225, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 392, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 335, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 371, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 68, in handle_authorizations
    self._choose_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 110, in _choose_challenges
    combinations)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 415, in gen_challenge_path
    return _find_smart_path(challbs, preferences, combinations)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 452, in _find_smart_path
    _report_no_chall_path(challbs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 491, in _report_no_chall_path
    raise errors.AuthorizationError(msg)
certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

stevenzhu · August 5, 2020, 12:53pm

From the log looks like certbot isn’t following the preferred-challenges flag, can you try to put the flag behind manual? (I know this sounds weird, but that’s actually the last thing i know before tagging a certbot engineer…)
Like this: certbot certonly --manual --manual-auth-hook myauthenticate.sh --manual-cleanup-hook mycleanup.sh -d '*.mydomain.com' -d mydomain.com --preferred-challenges dns --manual-public-ip-logging-ok

antalaron · August 5, 2020, 1:02pm

yes. that was my thought. and maybe beacause we generated a cert with the same domain?

moved the flags but fails with the same error. but for curiosity i completely removed the the preferred challenge, and it made the cert but with these:

Performing the following challenges:
dns-01 challenge for teszteld.hu
http-01 challenge for teszteld.hu

we do not want the http-01 challenge, tho

stevenzhu · August 5, 2020, 1:35pm

I don't think that might be the case, since both challenges should be available for your hostname.

Can you try to see if there's an upgrade to certbot? If not, maybe open an issue at Sign in to GitHub · GitHub ?

(Sorry i couldn't help)

freessltools.com · August 5, 2020, 7:01pm

antalaron:

yes. that was my thought. and maybe beacause we generated a cert with the same domain?

moved the flags but fails with the same error. but for curiosity i completely removed the the preferred challenge, and it made the cert but with these:
Performing the following challenges:
dns-01 challenge for teszteld.hu
http-01 challenge for teszteld.hu
we do not want the http-01 challenge, tho

I would be very curious to see the log from when the challenges succeeded after removing the preference.

I'm rather baffled at why it's using the staging addresses instead of the production addresses. Is this supposed to be for testing the client?

antalaron · August 6, 2020, 12:40pm

no. it is for production

2020-08-05 15:44:10,677:DEBUG:certbot.main:certbot version: 0.28.0
2020-08-05 15:44:10,679:DEBUG:certbot.main:Arguments: ['--manual', '--manual-auth-hook', 'myauthenticate.sh', '--manual-cleanup-hook', 'mycleanup.sh', '-d', '*.mydomain.com', '-d', 'mydomain.com', '--manual-public-ip-logging-ok']
2020-08-05 15:44:10,680:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-08-05 15:44:10,693:DEBUG:certbot.log:Root logging level set at 20
2020-08-05 15:44:10,694:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-08-05 15:44:10,694:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2020-08-05 15:44:10,695:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0x7f87d5f0f8d0>
Prep: True
2020-08-05 15:44:10,696:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0x7f87d5f0f8d0> and installer None
2020-08-05 15:44:10,697:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None
2020-08-05 15:44:10,701:DEBUG:certbot.main:Picked account: <Account(xxx)>
2020-08-05 15:44:10,703:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-08-05 15:44:10,709:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-08-05 15:44:11,652:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2020-08-05 15:44:11,653:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 13:44:11 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "flsiB0PwSa8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2020-08-05 15:44:11,672:INFO:certbot.main:Obtaining a new certificate
2020-08-05 15:44:11,806:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0172_key-certbot.pem
2020-08-05 15:44:11,811:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0172_csr-certbot.pem
2020-08-05 15:44:11,812:DEBUG:acme.client:Requesting fresh nonce
2020-08-05 15:44:11,812:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-08-05 15:44:11,986:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2020-08-05 15:44:11,987:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 13:44:11 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2020-08-05 15:44:11,987:DEBUG:acme.client:Storing nonce: xxx
2020-08-05 15:44:11,988:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "value": "*.mydomain.com",\n      "type": "dns"\n    },\n    {\n      "value": "mydomain.com",\n      "type": "dns"\n    }\n  ]\n}'
2020-08-05 15:44:11,995:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "xxx",
  "payload": "xxx",
  "signature": "xxx"
}
2020-08-05 15:44:12,327:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 475
2020-08-05 15:44:12,328:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Wed, 05 Aug 2020 13:44:12 GMT
Content-Type: application/json
Content-Length: 475
Connection: keep-alive
Boulder-Requester: 43599418
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/43599418/45474973
Replay-Nonce: xxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2020-08-12T13:44:12.206190312Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.mydomain.com"
    },
    {
      "type": "dns",
      "value": "mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/6166871888",
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/6334510034"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/43599418/45474973"
}
2020-08-05 15:44:12,329:DEBUG:acme.client:Storing nonce: xxx
2020-08-05 15:44:12,329:DEBUG:acme.client:JWS payload:
b''
2020-08-05 15:44:12,334:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6166871888:
{
  "protected": "xxx",
  "payload": "",
  "signature": "xxx"
}
2020-08-05 15:44:12,924:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6166871888 HTTP/1.1" 200 1016
2020-08-05 15:44:12,925:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 13:44:12 GMT
Content-Type: application/json
Content-Length: 1016
Connection: keep-alive
Boulder-Requester: 43599418
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxx-BCJiIYPBTKFZADmPRG1W8I
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "mydomain.com"
  },
  "status": "valid",
  "expires": "2020-08-27T15:09:51Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6166871888/7vfQoQ",
      "token": "eZ1EqnTvYEbqfJV3JByaAGcYndX7Lmz467yOl7wf7uo",
      "validationRecord": [
        {
          "url": "http://mydomain.com/.well-known/acme-challenge/eZ1EqnTvYEbqfJV3JByaAGcYndX7Lmz467yOl7wf7uo",
          "hostname": "mydomain.com",
          "port": "80",
          "addressesResolved": [
            "xxx.xxx.xxx.xxx"
          ],
          "addressUsed": "xxx.xxx.xxx.xxx"
        },
        {
          "url": "https://mydomain.com/.well-known/acme-challenge/eZ1EqnTvYEbqfJV3JByaAGcYndX7Lmz467yOl7wf7uo",
          "hostname": "mydomain.com",
          "port": "443",
          "addressesResolved": [
            "xxx.xxx.xxx.xxx"
          ],
          "addressUsed": "xxx.xxx.xxx.xxx"
        }
      ]
    }
  ]
}
2020-08-05 15:44:12,925:DEBUG:acme.client:Storing nonce: xxx-BCJiIYPBTKFZADmPRG1W8I
2020-08-05 15:44:12,926:DEBUG:acme.client:JWS payload:
b''
2020-08-05 15:44:12,931:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6334510034:
{
  "protected": "xxx",
  "payload": "",
  "signature": "xxx"
}
2020-08-05 15:44:13,140:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6334510034 HTTP/1.1" 200 383
2020-08-05 15:44:13,142:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 13:44:13 GMT
Content-Type: application/json
Content-Length: 383
Connection: keep-alive
Boulder-Requester: 43599418
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "mydomain.com"
  },
  "status": "pending",
  "expires": "2020-08-12T13:44:12Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6334510034/F0XzaA",
      "token": "OlD8YQvhfMs4pjr7QaQXbQ0Q9GDUrz5tOLjaqj3ofq4"
    }
  ],
  "wildcard": true
}
2020-08-05 15:44:13,142:DEBUG:acme.client:Storing nonce: xxx
2020-08-05 15:44:13,143:INFO:certbot.auth_handler:Performing the following challenges:
2020-08-05 15:44:13,143:INFO:certbot.auth_handler:http-01 challenge for mydomain.com
2020-08-05 15:44:13,144:INFO:certbot.auth_handler:dns-01 challenge for mydomain.com
2020-08-05 15:44:44,626:INFO:certbot.hooks:Output from myauthenticate.sh:
OK

2020-08-05 15:45:16,037:INFO:certbot.auth_handler:Waiting for verification...
2020-08-05 15:45:16,038:DEBUG:acme.client:JWS payload:
b'{\n  "type": "http-01",\n  "resource": "challenge"\n}'
2020-08-05 15:45:16,041:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/6166871888/7vfQoQ:
{
  "protected": "xxx",
  "payload": "xxx",
  "signature": "xxx"
}
2020-08-05 15:45:16,259:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/6166871888/7vfQoQ HTTP/1.1" 200 759
2020-08-05 15:45:16,261:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 13:45:16 GMT
Content-Type: application/json
Content-Length: 759
Connection: keep-alive
Boulder-Requester: 43599418
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/6166871888>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/6166871888/7vfQoQ
Replay-Nonce: xxx-MJ7jjXjtjSFcLgzMQy0PMpvAa8GKtmIv0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "valid",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6166871888/7vfQoQ",
  "token": "eZ1EqnTvYEbqfJV3JByaAGcYndX7Lmz467yOl7wf7uo",
  "validationRecord": [
    {
      "url": "http://mydomain.com/.well-known/acme-challenge/eZ1EqnTvYEbqfJV3JByaAGcYndX7Lmz467yOl7wf7uo",
      "hostname": "mydomain.com",
      "port": "80",
      "addressesResolved": [
        "xxx.xxx.xxx.xxx"
      ],
      "addressUsed": "xxx.xxx.xxx.xxx"
    },
    {
      "url": "https://mydomain.com/.well-known/acme-challenge/eZ1EqnTvYEbqfJV3JByaAGcYndX7Lmz467yOl7wf7uo",
      "hostname": "mydomain.com",
      "port": "443",
      "addressesResolved": [
        "xxx.xxx.xxx.xxx"
      ],
      "addressUsed": "xxx.xxx.xxx.xxx"
    }
  ]
}
2020-08-05 15:45:16,261:DEBUG:acme.client:Storing nonce: xxx-MJ7jjXjtjSFcLgzMQy0PMpvAa8GKtmIv0
2020-08-05 15:45:16,263:DEBUG:acme.client:JWS payload:
b'{\n  "type": "dns-01",\n  "resource": "challenge"\n}'
2020-08-05 15:45:16,268:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/6334510034/F0XzaA:
{
  "protected": "xxx",
  "payload": "xxx",
  "signature": "xxx"
}
2020-08-05 15:45:16,486:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/6334510034/F0XzaA HTTP/1.1" 200 184
2020-08-05 15:45:16,487:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 13:45:16 GMT
Content-Type: application/json
Content-Length: 184
Connection: keep-alive
Boulder-Requester: 43599418
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/6334510034>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/6334510034/F0XzaA
Replay-Nonce: xxx-EIczHPMdbBstFiNrYcuX651HdU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6334510034/F0XzaA",
  "token": "OlD8YQvhfMs4pjr7QaQXbQ0Q9GDUrz5tOLjaqj3ofq4"
}
2020-08-05 15:45:16,488:DEBUG:acme.client:Storing nonce: xxx-EIczHPMdbBstFiNrYcuX651HdU
2020-08-05 15:45:19,492:DEBUG:acme.client:JWS payload:
b''
2020-08-05 15:45:19,497:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6166871888:
{
  "protected": "xxx",
  "payload": "",
  "signature": "xxx"
}
2020-08-05 15:45:19,710:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6166871888 HTTP/1.1" 200 1016
2020-08-05 15:45:19,711:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 13:45:19 GMT
Content-Type: application/json
Content-Length: 1016
Connection: keep-alive
Boulder-Requester: 43599418
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxx-1C_M
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "mydomain.com"
  },
  "status": "valid",
  "expires": "2020-08-27T15:09:51Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6166871888/7vfQoQ",
      "token": "eZ1EqnTvYEbqfJV3JByaAGcYndX7Lmz467yOl7wf7uo",
      "validationRecord": [
        {
          "url": "http://mydomain.com/.well-known/acme-challenge/eZ1EqnTvYEbqfJV3JByaAGcYndX7Lmz467yOl7wf7uo",
          "hostname": "mydomain.com",
          "port": "80",
          "addressesResolved": [
            "xxx.xxx.xxx.xxx"
          ],
          "addressUsed": "xxx.xxx.xxx.xxx"
        },
        {
          "url": "https://mydomain.com/.well-known/acme-challenge/eZ1EqnTvYEbqfJV3JByaAGcYndX7Lmz467yOl7wf7uo",
          "hostname": "mydomain.com",
          "port": "443",
          "addressesResolved": [
            "xxx.xxx.xxx.xxx"
          ],
          "addressUsed": "xxx.xxx.xxx.xxx"
        }
      ]
    }
  ]
}
2020-08-05 15:45:19,712:DEBUG:acme.client:Storing nonce: xxx-1C_M
2020-08-05 15:45:19,713:DEBUG:acme.client:JWS payload:
b''
2020-08-05 15:45:19,718:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6334510034:
{
  "protected": "xxx",
  "payload": "",
  "signature": "xxx"
}
2020-08-05 15:45:19,927:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6334510034 HTTP/1.1" 200 472
2020-08-05 15:45:19,928:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 13:45:19 GMT
Content-Type: application/json
Content-Length: 472
Connection: keep-alive
Boulder-Requester: 43599418
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "mydomain.com"
  },
  "status": "valid",
  "expires": "2020-09-04T13:45:17Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6334510034/F0XzaA",
      "token": "OlD8YQvhfMs4pjr7QaQXbQ0Q9GDUrz5tOLjaqj3ofq4",
      "validationRecord": [
        {
          "hostname": "mydomain.com"
        }
      ]
    }
  ],
  "wildcard": true
}
2020-08-05 15:45:19,928:DEBUG:acme.client:Storing nonce: xxx
2020-08-05 15:45:19,929:DEBUG:certbot.error_handler:Calling registered functions
2020-08-05 15:45:19,930:INFO:certbot.auth_handler:Cleaning up challenges
2020-08-05 15:45:51,001:INFO:certbot.hooks:Output from mycleanup.sh:
OK

2020-08-05 15:46:22,264:DEBUG:certbot.client:CSR: CSR(file='/etc/letsencrypt/csr/0172_csr-certbot.pem', data=b'-----BEGIN CERTIFICATE REQUEST-----\nxxx\n-----END CERTIFICATE REQUEST-----\n', form='pem')
2020-08-05 15:46:22,272:DEBUG:acme.client:JWS payload:
b'{\n  "csr": "xxx",\n  "resource": "new-cert"\n}'
2020-08-05 15:46:22,277:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/finalize/43599418/45474973:
{
  "protected": "xxx",
  "payload": "xxx",
  "signature": "xxx"
}
2020-08-05 15:46:23,330:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/finalize/43599418/45474973 HTTP/1.1" 200 567
2020-08-05 15:46:23,332:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 13:46:23 GMT
Content-Type: application/json
Content-Length: 567
Connection: keep-alive
Boulder-Requester: 43599418
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/43599418/45474973
Replay-Nonce: xxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "valid",
  "expires": "2020-08-12T13:44:12Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.mydomain.com"
    },
    {
      "type": "dns",
      "value": "mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/6166871888",
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/6334510034"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/43599418/45474973",
  "certificate": "https://acme-v02.api.letsencrypt.org/acme/cert/xxx"
}
2020-08-05 15:46:23,332:DEBUG:acme.client:Storing nonce: xxx
2020-08-05 15:46:24,334:DEBUG:acme.client:JWS payload:
b''
2020-08-05 15:46:24,338:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/order/43599418/45474973:
{
  "protected": "xxx",
  "payload": "",
  "signature": "xxx"
}
2020-08-05 15:46:24,549:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/order/43599418/45474973 HTTP/1.1" 200 567
2020-08-05 15:46:24,551:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 13:46:24 GMT
Content-Type: application/json
Content-Length: 567
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "valid",
  "expires": "2020-08-12T13:44:12Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.mydomain.com"
    },
    {
      "type": "dns",
      "value": "mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/6166871888",
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/6334510034"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/43599418/45474973",
  "certificate": "https://acme-v02.api.letsencrypt.org/acme/cert/xxx"
}
2020-08-05 15:46:24,551:DEBUG:acme.client:Storing nonce: xxx
2020-08-05 15:46:24,552:DEBUG:acme.client:JWS payload:
b''
2020-08-05 15:46:24,557:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/cert/xxx:
{
  "protected": "xxx",
  "payload": "",
  "signature": "xxx"
}
2020-08-05 15:46:24,769:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/cert/xxx HTTP/1.1" 200 3571
2020-08-05 15:46:24,770:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 05 Aug 2020 13:46:24 GMT
Content-Type: application/pem-certificate-chain
Content-Length: 3571
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/cert/xxx/1>;rel="alternate"
Replay-Nonce: xxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----

2020-08-05 15:46:24,770:DEBUG:acme.client:Storing nonce: xxx
2020-08-05 15:46:24,791:DEBUG:certbot.storage:Archive directory /etc/letsencrypt/archive/mydomain.com and live directory /etc/letsencrypt/live/mydomain.com created.
2020-08-05 15:46:24,792:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/live/mydomain.com/cert.pem.
2020-08-05 15:46:24,792:DEBUG:certbot.storage:Writing private key to /etc/letsencrypt/live/mydomain.com/privkey.pem.
2020-08-05 15:46:24,792:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/live/mydomain.com/chain.pem.
2020-08-05 15:46:24,792:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/live/mydomain.com/fullchain.pem.
2020-08-05 15:46:24,793:DEBUG:certbot.storage:Writing README to /etc/letsencrypt/live/mydomain.com/README.
2020-08-05 15:46:24,805:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer <certbot.cli._Default object at 0x7f87d29de2e8>
2020-08-05 15:46:24,809:DEBUG:certbot.cli:Var manual_auth_hook=/opt/certbot/myauthenticate.sh (set by user).
2020-08-05 15:46:24,812:DEBUG:certbot.cli:Var manual_cleanup_hook=/opt/certbot/mycleanup.sh (set by user).
2020-08-05 15:46:24,814:DEBUG:certbot.cli:Var manual_public_ip_logging_ok=True (set by user).
2020-08-05 15:46:24,825:DEBUG:certbot.cli:Var authenticator=manual (set by user).
2020-08-05 15:46:24,826:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/mydomain.com.conf.
2020-08-05 15:46:24,829:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.com/privkey.pem
Your cert will expire on 2020-11-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
2020-08-05 15:46:24,829:DEBUG:certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

freessltools.com · August 6, 2020, 5:13pm

Thanks for that.
Unlike your previous output, this was a production run. From this output, it looks like you used the http preference.

system · September 5, 2020, 5:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authenticator and combination of challenges with manual and http Help	3	1004	August 20, 2020
I don't know what I am doing Help	5	881	January 24, 2023
Problem with certbot manual and dns challenge Help	15	4910	August 21, 2020
Wildcard with rfc2136 dns challenge Help	20	7442	June 28, 2018
Generating one certificate for all our subdomains Help	3	4620	August 20, 2022

Cannot generate wildcard cert, with previous cert

Related topics