If i have Domain xxxx.co.uk and this domain contain some subdomains like
A1.xxxx.co.uk , B1.xxxx.co.uk, C1.xxxx.co.uk, .....
how can i create this cert ? via below command, right?
certbot certonly -d "*.xxxx.co.uk" -d xxxx.co.uk
If i have Domain xxxx.co.uk and this domain contain some subdomains like
A1.xxxx.co.uk , B1.xxxx.co.uk, C1.xxxx.co.uk, .....
how can i create this cert ? via below command, right?
certbot certonly -d "*.xxxx.co.uk" -d xxxx.co.uk
Hello @amna
that creates a wildcard-certificate with two entries - *.xxx.co.uk and xxx.co.uk
Do you want this or do you want 10 explicit certificates
There are different options with different consequences to use the certificate.
Hi @JuergenAuer ,
thanks alot for your quick replay, as far as i know one certificate contain 100 names. i’d like to know how to create certificate for main domain xxxx.co.uk so i can create certificate to sub domain as name under main domain setificate not a new certificate?
my question with anther meaning?
You can create a certificate with *.example.com and example.com. So you need not to list all subdomains in one certificate.
You would need a new certificate with this name.
I am using also a *.example.com - certificate. It's easy, I can add a new subdomain, I don't need to create a new certificate.
But: Wildcard-certificates require ACME-v2, available since ~~ 03 / 2018. So check if your certbot is updated. And: dns-01 is required, so you have to add two dns-entries with the same name _acme-challenge, one with the *-hash, one with the hash of example.com
Hi JuergenAuer,
how to set DNs entry to *.example.com and exmaple.com. sorry for my bad question but in my case every vhost may be point to different ip for example
A1.example.com locat on server1 so in DNS entry A1.exapmle.com point to server1_IP
A2.example.com locat on server2 so in DNS entry A2.exapmle.com point to server2_IP
A3.example.com locat on server3 so in DNS entry A3.exapmle.com point to server3_IP
A4.example.com locat on server4 so in DNS entry A4.exapmle.com point to server4_IP
A5.example.com locat on server5 so in DNS entry A5.exapmle.com point to server5_IP
and so on …
The IP-addresses of your subdomains are irrelevant.
If you want to get a *.example.com + example.com - certificate (with two alternate names), you have to create two txt-entries.
_acme-challenge.example.com
with two different values.
Depending on your DNS-hoster, you may only create two entries
_acme-challenge
because the .example.com is added automatic. And the two values - Certbot may show these.
First use the staging system and create a certificate *.example.com (without example.com).
sorry didn’t get your point, can you plz provide me example
Use your first command. But use the test/stage-system. There is a Certbot-option to use the testsystem, but I don't use certbot.
@JuergenAuer
Let me clarify what i understood, i can install wildcard certificate by the one of the below
Option 1
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install
acme.sh --issue -d *.example.com --dns --force (during run this step will show me message to set DNS entry, should i set as below or should i put IP of server " i can’t put specific IP as each vhost point to different IP server"
TXT record _acme-challenge
value : “…” )
Option2
certbot -d *.example.com
–manual
–preferred-challenges
dns certonly
–server https://acme-v02.api.letsencrypt.org/directory
(during run this step will show me message to set DNS entry, should i set as below or should i put IP of server " i can’t put specific IP as each vhost point to different IP server"
TXT record _acme-challenge
value : “…” )
please confirm if this is correct specially DNS entry part
I don't understand this. DNS - txt-entries don't use the ip-address.
And there is no global way, that depends of your dns-provider. My dns-provider has a menu (grouped by domain).
This creates a valid entry for _acme-challenge.mydomain.de
Hi @JuergenAuer,
i have used the below command to issue the wildcard certificate and set txt DNS entry for this domain
./acme.sh --issue -d *.example.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
Now i want to set the ssl vhost for each domain but i am not sure how?, as far as i know i should do the below
Another questions related to renew:
can i renew wildcard certificate via the below cron job
./acme.sh --issue -d *.example.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew --force
That depends on your server software.
I don't use acme.sh and don't know the options.
No, because it will require manual interaction each time. And you don't want --force in a cron job, as you'll blow the rate limits pretty quickly.
@danb35
what do you mean manual interaction? you mean every time that i renew certificate, i should change txt DNS entry
Every time you renew the certificate, you have to change the TXT
entry.
(Unless you have validated the name recently, but then you'd have no reason to renew.)
What @mnordhoff said, and that you'll have to do it manually. And you're (incorrectly, apparently) telling acme.sh you understand that when you use the "--yes-I-know-dns-manual-mode-enough-go-ahead-please" flag. If you want automatic renewal (which you should), you need to be using a DNS host with a supported API so that the TXT records can be updated by the script.
@danb35
thanks alot for your reply so i should enable api call for DNS host( i use godaddy " godaddy API" ) then write script to automatic change txt record
If you're using Godaddy for your DNS, you don't need to write anything; acme.sh already supports the Godaddy API:
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.