Can't use webroot authenticator needed for wildcard domain


#1

I am trying to obtain a certificate using a wildcard on an Amazon EC2 instance with the domain hubsadmin.com. I am able to do it using the manual mode, but that does not allow me to renew the certificate automatically.

I want to be able to install a new certificate using the webroot authentication, so I can renew automatically using a cron. However when I run:

“sudo /home/ec2-user/certbot-auto --authenticator webroot --installer apache --server https://acme-v02.api.letsencrypt.org/directory --webroot-path /var/www/html -d *.hubsadmin.com”

I receive an error:
“Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.”

I believe I have the latest version of certbot installed, but how can I make sure?

I can login to a root shell on my machine YES

What can I do so that this can be renewed automatically?


#2

Hi @hamlethub,

To issue a wildcard certificate you can’t use webroot method, you can only use the DNS method. If you want to automate it you need to use a plugin/script to interact with your DNS servers using an API, in your case you are using route53 dns servers so you could use lexicon plugin to automate it (you will need the right API credentials to interact with route53). You can follow this excellent guide to accomplish this task.

Last certbot-auto version is 0.25.1 and you can check it using --version param:

sudo /home/ec2-user/certbot-auto --version

Good luck,
sahsanu


#3

I just want to point out that a recent PR to Lexicon has broken it and the instructions in that blog post. I’ll open an isue.

In the meantime, you can work around it by putting

/opt/eff.org/certbot/venv/bin/pip install urllib3

in the first few lines of the hook.

Sorry.


#4

Thanks! That solved an issue I was having and was very helpful, In addition you should use auth-access-key and auth-access-secret instead of auth-access and auth-token

/opt/eff.org/certbot/venv/bin/lexicon route53
–auth-access-key=KEY --auth-access-secret=SECRET–auth-username=USERNAME
“$1” “${CERTBOT_DOMAIN}” TXT
–name “_acme-challenge.${CERTBOT_DOMAIN}”
–content “${CERTBOT_VALIDATION}” || exit 255


#5

There is another issue. I am using this method in order to use a wildcard. When you do that, you need to include two domains, -d hubsadmin.com and -d *.hubsadmin.com.

The DNS check is failing due to the wrong TXT record. I believe you need to authorize using the txt record twice, so I it probably using the first one only. Any suggestions how I can get over this? Can I put a delay in the script and get it to pause after it updates the TXT for the second domain?


#6

Yeah :(. The Route53 provider is busted for this usage pattern. I don’t see any straightforward workaround and I’m not sure why it stopped working at some point (did Certbot change the order it calls create & cleanup hooks?).

You might wanna try acme.sh or lego that have a functioning DNS plugin system.

If you want to continue using Certbot, you could try the official http://certbot-dns-route53.readthedocs.io/ , but there’s no reliable way to keep it from getting uninstalled when certbot-auto upgrades itself.


#7

I am using Certbot simply because I am a complete beginner to SSL and I thought it would make the process of obtaining/renewing the certificates easier, but I am starting to think it would be easier without Certbot.

Can I manually add the second domain, and still have the automatic renewal work?


#8

It wouldn’t work unless you issued two separate certificates.

Really, take a look at acme.sh, it’s pretty good: https://github.com/Neilpang/acme.sh/tree/master/dnsapi#1-use-cloudflare-domain-api-to-automatically-issue-cert


#9

Do you know of a good tutorial/article on how to install acme.sh and use for domain wildcards? Thanks!


#10

Installing it should just be a single command: https://github.com/Neilpang/acme.sh/wiki/How-to-install#1-install-from-web-httpsgetacmesh

The project wiki contains instructions for pretty much everything you can think of.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.