Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: glorytoyah.org
I ran this command: sudo certbot certonly --manual -d *.glorytoyah.org -d glorytoyah.org --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01
It produced this output: FILE "/usr/lib/python3/dist-packages/request_toolbelt/_compat.py", line 49 in from requests.packagesurllib3.contrib import appengine as gaecontrib Import Error: Cannot import name 'appengine' from 'requestslpackages.urllib3/contrib' (/usr/local/lib/python3.8/dist-packages/urllib3/contrib?init.py)
My web server is (include version): Tomcat and Apache2
The operating system my web server runs on is (include version): Ubunto 20.04
My hosting provider, if applicable, is: self
I can login to a root shell on my machine (yes or no, or I don't know): YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): FILE "/usr/lib/python3/dist-packages/request_toolbelt/_compat.py", line 49 in from requests.packagesurllib3.contrib import appengine as gaecontrib Import Error: Cannot import name 'appengine' from 'requestslpackages.urllib3/contrib' (/usr/local/lib/python3.8/dist-packages/urllib3/contrib?init.py)
Certbot itself does not try to load the appengine module, so that means something else in your Python eco-system on your host is messed up.
You could try the snap option mentioned by Bruce, which indeed is the preferred method according to the Certbot team or you need to fix the dependencies of your Python eco-system. The latter unfortunately is not within the scope of this Community IMO.
OK, I uninstalled the apt version of certbot and installed it using
sudo snap install --classic
that appears to have installed correctly the response is
certbot 3.3.0 from Certbot Project (certbot-eff) installed
I then ran sudo certbot --apache
Saving debug log /var/log/letsencrypt/letencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The apache error log may have more information.
apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: no such file or directory.
So it appears that the 00-default-le-ssl.conf file is missing..
Not sure what creates this file
No, the file /etc/letsencrypt/options-ssl-apache.conf is missing. Not sure why though. Perhaps the snap version doesn't it install it there? I don't have experience with snap myself, so can't check it here.
It does get installed by the Certbot apache plugin though, which using apt would require a separate install. But it's included in the snap Certbot version already. Not sure where the options-ssl-apache.conf file would come from.
It was created using 00-default.conf as a template by Certbot on a previous Certificate installation.
Well I followed the instruction to uninstall certbot APT and all directories associated with /etc/letsencrypt per the instructions and now it says that file is missing. Do I need to update certbot snap? which certbot returns /snap/bin/certbot
On my snap install it is in that directory. Just based on the file timestamps I'd say it gets installed the first time you use --apache plugin. Its timestamp is well after the similar one for nginx which I used first.
@HMiles When you deleted /etc/letsencrypt you deleted files used by your active Apache system. I'm not sure what instructions you followed that said to do that. I don't see that described in Certbot's instructions.
You have several options.
One, restore /etc/letsencrypt from backup.
This recreated the files, however while trying to create a wildcard certificate for *.glorytoyah.org, glorytoyah.org I now get the following error:
certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges tha will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS. Do I now need to go back to this command?
certbot --apache cannot do the dns-01 challenge required for a wildcard certificate and the --manual authenticator is highly discouraged to use due to it not being capable to renew a certificate automatically.
If you wish, and know the limitations, you could try to combine the apache installer with the manual authenticator, but the above mentioned limitation would still apply: -i apache -a manual.
Is there a way to automatically renew wildcard certificates because the previous command is the only way I was able to make it work in the past.. now that I have gone to snap, I need to know how this is done.
That depends. The most easy method is having a DNS provider which has an API which can be accessed by one of the Certbot DNS plugins, either 'first party' from the Certbot team itself (see User Guide — Certbot 3.3.0 documentation), one of the many third-party DNS plugins you can find using Google or use certbot-dns-multi which is a Certbot DNS plugin using the lego ACME library under the hood to provide integration with all the DNS providers lego supports, see GitHub - go-acme/lego: Let's Encrypt/ACME client and library written in Go for an overview.
If your DNS provider does not provide an API or there is no DNS plugin for that, you could perhaps use acme-dns, which is a DNS server specifically build to provide an API for ACME dns-01 challenges. The most secure way is to run an instance on (one of) your own host(s), but there's also the possibility to use an instance run by the author of the application. However, that latter method is inherently insecure: you put all the trust in the person running that acme-dns instance not issuing certificates for your domain(s).
my dns provider is Network Solutions, which the last time I check certbot does not have a plugin for. So i have had to do the dns challenge.. I will have to research and check if I can use certbot-dns-multi.
As far as I can determine the certbot DNS doesnt have a pluggin for network solutions. So it appears can no longer use letsencrypt wild cards if the DNS challenge is not supported?
The "dns challenge" is required for all wildcard certificates, regardless which method (manual or a proper DNS plugin, both would provide the "dns challenge") is used. I'd like to advise you to learn the proper terminology so in the future there is no confusion.
The manual plugin also provides the "DNS challenge", it's just not automatable.
Also, earlier I mentioned acme-dns, which could be a solution regardless which DNS provider is being used. Alternatively, one could register with Cloudflare (free) and use a NS RR to point the _acme-challenge to the appropriate Cloudflare nameservers and use the certbot-dns-cloudflare DNS plugin.