Creating Wildcard Cert that includes base domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.turnthelydon.com

I ran this command: acme.sh --issue --webroot ~/public_html -d turnthelydon.com -d *.turnthelydon.com --force --dns

It produced this output: [Sun Jan 3 20:27:29 EST 2021] Domains have changed.
[Sun Jan 3 20:27:29 EST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Jan 3 20:27:29 EST 2021] Multi domain='DNS:turnthelydon.com,DNS:.turnthelydon.com'
[Sun Jan 3 20:27:29 EST 2021] Getting domain auth token for each domain
[Sun Jan 3 20:27:31 EST 2021] Getting webroot for domain='turnthelydon.com'
[Sun Jan 3 20:27:31 EST 2021] Getting webroot for domain='
.turnthelydon.com'
[Sun Jan 3 20:27:31 EST 2021] Error, can not get domain token entry *.turnthelydon.com for http-01
[Sun Jan 3 20:27:31 EST 2021] The supported validation types are: dns-01 , but you specified: http-01
[Sun Jan 3 20:27:31 EST 2021] Please add '--debug' or '--log' to check more details.
[Sun Jan 3 20:27:31 EST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

My web server is (include version): I'm running on NameCheap utilizing bash and acme.sh

My hosting provider, if applicable, is: Namecheap

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I'm using cPanel unsure of version

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): latest version of acme.sh

I was able to create a wildcard for my domain and it works perfectly, however I cannot seem to successfully add the base domain (turnthelydon.com) to the certificate and re-issue. I have created the necessary acme_challenge DNS record and it works when only specifying a single domain. I just cannot for the life of me add a second name with success.

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

You need two _acme-challenge.turnthelydon.com DNS TXT records with different values. You must use a dns-01 challenge for a wildcard domain name.

Complete Certificate History
2 Likes

So, I need to do two issue commands? One for the wildcard and one for the base domain? Add the records and then run the full issue including both? Something like:

acme.sh --issue --webroot ~/public_html -d turnthelydon.com --dns add domain txt record
acme.sh --issue --webroot ~/public_html -d turnthelydon.com -d *.turnthelydon.com --force --dns

would work? Sorry if it's a stupid question, I've used lets encrypt before, just not with wildcards.

1 Like

Nope. One command is needed, but you must use dns for a wildcard that requires a dns-01 challenge (webroot won't work because it's an http-01 challenge).

2 Likes

So running: acme.sh --issue -d turnthelydon.com -d *.turnthelydon.com --force --dns

returns

[Sun Jan 3 20:43:43 EST 2021] Error, can not get domain token entry *.turnthelydon.com for http-01
[Sun Jan 3 20:43:43 EST 2021] The supported validation types are: dns-01 , but you specified: http-01

I do not see where I'm specifying an http-01 request

1 Like

You're not.

Hmm...

:thinking:

Let me check something... back in a minute...

2 Likes

Try this for me:

acme.sh --issue -d turnthelydon.com -d "*.turnthelydon.com" --force --dns

1 Like

That returns:

[Sun Jan 3 20:49:27 EST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Jan 3 20:49:27 EST 2021] Multi domain='DNS:turnthelydon.com,DNS:.turnthelydon.com'
[Sun Jan 3 20:49:27 EST 2021] Getting domain auth token for each domain
[Sun Jan 3 20:49:29 EST 2021] Getting webroot for domain='turnthelydon.com'
[Sun Jan 3 20:49:29 EST 2021] Getting webroot for domain='
.turnthelydon.com'
[Sun Jan 3 20:49:29 EST 2021] Error, can not get domain token entry *.turnthelydon.com for http-01
[Sun Jan 3 20:49:29 EST 2021] The supported validation types are: dns-01 , but you specified: http-01
[Sun Jan 3 20:49:29 EST 2021] Please add '--debug' or '--log' to check more details.
[Sun Jan 3 20:49:29 EST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

1 Like

Hello @TurnTheLydon,

You must specify a dns plugin to be used by acme.sh, it seems you are using namecheap as your dns provider so please, read carefully the doc to use it with acme.sh, because you need to use a username, an api key and a source ip.

Cheers,
sahsanu

3 Likes

This should let you do dns authentication manually without a plugin:

acme.sh --issue --dns -d turnthelydon.com -d "*.turnthelydon.com"

The recently issued certs are confusing.
crt.sh | %.turnthelydon.com

top-down

  1. apex only
  2. wildcard only [must have used DNS auth]
  3. apex and www [repeat of 7]
  4. same as 3
  5. www only
  6. apex only [same as 1]
  7. apex and www [not from LE]
1 Like

Yeah, I know. I'm sorry, I was just beating my head against the wall trying different combinations prior.

2 Likes

There is a complete staging environment for such cases [testing]

Nevertheless, you managed to get #2 with DNS auth, so you must have some idea on how that was done.
You simply need to do one cert with two names on it (2 DNS changes at the same time).

1 Like

If it is possible I would avoid a manual authentication, he must use one more parameter --yes-I-know-dns-manual-mode-enough-go-ahead-please and the renews must be manual too so it is a pain :wink:

1 Like

I think that parameter is obsolete. But yes, automated is better.

:wink:

Let's start with what you DO have:
/root/.acme.sh/acme.sh --list

1 Like

It isn't :wink:

# acme.sh --version
https://github.com/acmesh-official/acme.sh
v2.8.8

# acme.sh --issue --dns -d turnthelydon.com -d "*.turnthelydon.com"
[lun 04 ene 2021 03:00:49 CET] It seems that you are using dns manual mode. Read this link first: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode

# acme.sh --issue --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please -d turnthelydon.com -d "*.turnthelydon.com"
[lun 04 ene 2021 03:01:06 CET] Using CA: https://acme-v02.api.letsencrypt.org/directory
[lun 04 ene 2021 03:01:06 CET] Creating domain key
[lun 04 ene 2021 03:01:06 CET] The domain key is here: /root/.acme.sh/turnthelydon.com/turnthelydon.com.key
[lun 04 ene 2021 03:01:06 CET] Multi domain='DNS:turnthelydon.com,DNS:*.turnthelydon.com'
[lun 04 ene 2021 03:01:06 CET] Getting domain auth token for each domain
[lun 04 ene 2021 03:01:10 CET] Getting webroot for domain='turnthelydon.com'
[lun 04 ene 2021 03:01:11 CET] Getting webroot for domain='*.turnthelydon.com'
[lun 04 ene 2021 03:01:11 CET] Add the following TXT record:
[lun 04 ene 2021 03:01:11 CET] Domain: '_acme-challenge.turnthelydon.com'
[lun 04 ene 2021 03:01:11 CET] TXT value: '6Ao4ZDqcAC0JObcpv6RuPXqSBmKRHZN5lgfL8J141Cs'
[lun 04 ene 2021 03:01:11 CET] Please be aware that you prepend _acme-challenge. before your domain
[lun 04 ene 2021 03:01:11 CET] so the resulting subdomain will be: _acme-challenge.turnthelydon.com
[lun 04 ene 2021 03:01:11 CET] Add the following TXT record:
[lun 04 ene 2021 03:01:11 CET] Domain: '_acme-challenge.turnthelydon.com'
[lun 04 ene 2021 03:01:11 CET] TXT value: 'l2pfYxmzuPB6BEjXlzx125J2o_a80Zepl8qqDULufGo'
[lun 04 ene 2021 03:01:11 CET] Please be aware that you prepend _acme-challenge. before your domain
[lun 04 ene 2021 03:01:11 CET] so the resulting subdomain will be: _acme-challenge.turnthelydon.com
[lun 04 ene 2021 03:01:11 CET] Please add the TXT records to the domains, and re-run with --renew.
[lun 04 ene 2021 03:01:11 CET] Please check log file for more details: /root/.acme.sh/acme.sh.log
2 Likes

I was fairly certain that the developer of acme.sh himself recently stated that --yes-I-know-dns-manual-mode-enough-go-ahead-please was obsolete somewhere in this community. I may be wrong. I can't seem to find the reference.

:thinking:

1 Like

The current cert (expires in 23 days) is only for apex and www.

Do you really need a wilcard cert?

[if not, this is quite simple and you've already issued such certs - #3,4]

1 Like

@TurnTheLydon

This seems to be directly related to what you're experiencing:

1 Like