I am trying to obtain a certificate using a wildcard on an Amazon EC2 instance with the domain hubsadmin.com. I am able to do it using the manual mode, but that does not allow me to renew the certificate automatically.
I want to be able to install a new certificate using the webroot authentication, so I can renew automatically using a cron. However when I run:
I receive an error:
“Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.”
I believe I have the latest version of certbot installed, but how can I make sure?
I can login to a root shell on my machine YES
What can I do so that this can be renewed automatically?
To issue a wildcard certificate you can't use webroot method, you can only use the DNS method. If you want to automate it you need to use a plugin/script to interact with your DNS servers using an API, in your case you are using route53 dns servers so you could use lexicon plugin to automate it (you will need the right API credentials to interact with route53). You can follow this excellent guide to accomplish this task.
Last certbot-auto version is 0.25.1 and you can check it using --version param:
Thanks! That solved an issue I was having and was very helpful, In addition you should use auth-access-key and auth-access-secret instead of auth-access and auth-token
There is another issue. I am using this method in order to use a wildcard. When you do that, you need to include two domains, -d hubsadmin.com and -d *.hubsadmin.com.
The DNS check is failing due to the wrong TXT record. I believe you need to authorize using the txt record twice, so I it probably using the first one only. Any suggestions how I can get over this? Can I put a delay in the script and get it to pause after it updates the TXT for the second domain?
Yeah :(. The Route53 provider is busted for this usage pattern. I don’t see any straightforward workaround and I’m not sure why it stopped working at some point (did Certbot change the order it calls create & cleanup hooks?).
You might wanna try acme.sh or lego that have a functioning DNS plugin system.
If you want to continue using Certbot, you could try the official http://certbot-dns-route53.readthedocs.io/ , but there’s no reliable way to keep it from getting uninstalled when certbot-auto upgrades itself.
I am using Certbot simply because I am a complete beginner to SSL and I thought it would make the process of obtaining/renewing the certificates easier, but I am starting to think it would be easier without Certbot.
Can I manually add the second domain, and still have the automatic renewal work?