Changing from DNS to HTTP authentication

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bmp.ie + thinkpeople.co.uk

I ran this command: sudo certbot certonly -d $DOMAIN -d $WILDCARD --manual --preferred-challenges http

It produced this output: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

My web server is (include version): Apache 2.4.46

The operating system my web server runs on is (include version):Linux Debian 4.19.160-2 (2020-11-28)

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0


I have this website and another running on Lightsail that are both due for renewal, thinkpeople.co.uk has already expired. Both are currently using DNS for authentication but I do not have direct access to their DNS and have to contact the client's IT people each time which is not ideal. I have read I can instead place a file in the server's root which would be more appropriate in this situation and so I want to change from using TXT records to this instead.

As per above I have tried what commands I have found but have had no success on either site. Any help is much appreciated. Thanks.

Hi @mrsnooch

you can't.

You use a wildcard certificate *.thinkpeople.co.uk.

Wildcard certificate -> dns validation is required.

Check, if you really need a wildcard.

If not, then create a new non-wildcard certificate.

Thanks for quick reply.

You're right, I don't need a wildcard for either domain.

What are my options other than DNS?

Use the http-01 challenge for a set of hostnames not containing a wildcard hostname.

See the Getting certificates (and choosing plugins) of the certbot documentation for choosing a plugin supporting the http-01 challeng, such as the apache plugin or, if you really don't want certbot temporarily modifying your Apache configuration, the webroot plugin.

So I used http before your reply, and it proceeded beyond where I was getting stuck before, asking me to create a file containing an alphanumerical string and place it in the .well-known\acme-challenge\ folder, which I believe I did successfully - I did visit the URL where the file should be visible and indeed it was, and the process accepted this as per below;

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/thinkpeople.co.uk-0001/fullchain.pem
    Your key file has been saved at:

I then restarted the ctlscript.sh but still the site shows as insecure. Have I missed something?

Certonly doesn't install the certificate.

This stands out:

Was your previous certificate also in a -0001 directory? Please check:

certbot certificates

for your currently saved certificates in certbot.

You probably used --manual again which usually is not necessary with the http-01 challenge.

You might want to run:

certbot --apache -d $DOMAIN --keep

To use the apache plugin while keeping the existing certificate and hope it will update your Apache configuration to point to the correct certificate.

1 Like

Hi Osiris,

I actually noticed that myself after sending. You're correct, the new cert seems to have appended 0001 to the end and created a separate cert, so now I have 2, one expired (non-0001) and one valid (0001).

Found the following certs:
Certificate Name: thinkpeople.co.uk-0001
Domains: thinkpeople.co.uk
Expiry Date: 2021-07-31 16:36:55+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/thinkpeople.co.uk-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thinkpeople.co.uk-0001/privkey.pem
Certificate Name: thinkpeople.co.uk
Domains: thinkpeople.co.uk *.thinkpeople.co.uk
Expiry Date: 2021-05-02 15:29:31+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/thinkpeople.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thinkpeople.co.uk/privkey.pem

Having run your suggested command, apparently I do not have that apache plugin installed?

bitnami@ip-172-26-14-44:~$ sudo certbot --apache -d $DOMAIN --keep
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested apache plugin does not appear to be installed

Thanks for your ongoing help

Ah, well, no.. Also, I see you're using bitnami, which is a rather strange odd-ball out there. I have absolutely zero, 0, nada experience with that and I'm hesitating to even guide you further with that. Bitnami feels more like a, well.., sort of minefield among software.. Chances of breaking something are rather large. It also has Apache installed in a non-standard place, so the certbot apache plugin wouldn't even know how to handle it.

You might try to use the webroot plugin. Check out the certbot documentation I linked above for how it works. You'd need to figure out the actual webroot path used by your bitnami Apache stack though, as it is probably just as non-standard as the rest of bitnami.

1 Like

Okay thank you, I appreciate your help thus far!