Debian 10, wildcard setup/renew without my fingers in the pie

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: example.com

I ran this command: certbot renew --dry-run

It produced this output:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

My web server is (include version): Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: ME

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot --version: certbot 0.31.0

I have setup and been down the rabbit hole. I maintain my own bind DNS server (using Xen VM's). I can't finds any docs that help to setup automagic cert renewel (I do comment out TXT record for letsencrypt). Maybe I've just read too much and making this harder than it needs to be.

Basic Debian stuff, create certs, configure https w/wildcard cert (example.com,*.example.com, re-direct all requests to https, no directory listing, renew when due (at the 60 day mark????) without having to monkey w/DNS, or anything for that matter.

How hard can this be with such a simple setup? 10,000ft view is fine, I've been around the block, just want out of this hole ;~)>

AUTOMATION HELP PLEASE.

Hi @fatboy, and welcome to the LE community forum

When you don't provide all the information requested, it only makes things that much more difficult for anyone to help you with.

If you are "renewing", then it must have worked (in some way) previously.
We should have a look at the renewal config file.

Also, you mention "wildcard" cert, but that isn't something normally found to be automated with:

Not sure what other info is needed, though I provided enough given the configuration.

When time for renewal, I end up doing the dns-challenge thing.

If wildcard isn't something I can automate, so be it, not like I haven't been doing it for a few years, just no fun.

Figured there might be an answer or clue somewhere that could point me in a direction.

With other software, it might be possible.

Is an HTTP challenge with Apache impossible? You say you have a simple setup I'd think that would also be easy to setup. You can't get wildcard cert with HTTP challenge but was that a convenience or necessity?

Stept out of the bed on the wrong side there Rudy?

That's something OP might not have known initially, the questionnaire was, I think, quite complete.

Might I recommend:

Great question! IS http challenge impossible for WC cert renewal?

If not, a boiler plate renewal config file posted might help.

Doesn't matter what I have, it's either not right or can't happen or I'm chasing ghosts. Simple to just pay $400/yr and mess w/it 1X yr.

No offense, just looking for a clue, if there is one, I'll figure it out at that point.

Not going to allow my txt records to be queried BTW. If that's a limitation no matter the DNS plugin, I won't worry about it.

Again, no offense intended, just thought I'd join and post, see what sticks to the wall. It's all smarter than me apparently ;~)>

You cannot get a wildcard cert with HTTP challenge.

But, a cert can have up to 100 domain names in it. You said you had a simple setup. If you don't have that many domain names perhaps one cert could contain them all? Or, even make several certs for different groups using http challenge.

I don't know what you mean by "Not going to allow my txt records to be queried BTW"
The DNS challenge means the Let's Encrypt server looks at the TXT record at _acme-challenge.(yourdomain). Automating the DNS challenge means using an API to update your DNS records. The method griffin pointed out sounds best given info so far.

If you've been getting a Let's Encrypt wildcard cert the LE system has been querying your TXT record.

Well, that settles that.

Once DNS _acme-challenge is done, I remark, nothing going to happen under-the-covers w/DNS (and cryptic python logs python folks can't even explain - same w/java and a million others the dev ops can't explain). That seems to be a hole I don't want exploited, whatever a hacker is up to.

Obviously not complicated to renew, it just shouldn't need me to get it done IMHO.

What do I know after 25-30 years of linux (hint - so many moving parts, one guy can't stay on top)?After some time, I ping the dev folks for help, usually get a solution - or not.

Not a deal breaker either way, I'll count packets, build kernels or build firewalls, bash, java, php, or other 3 letter .gubmint agency in the techno arena <shrug_no_ego_humble_I'll_do_the_time_to_make_it_work_if needed_and_worth_the_time_;~)>

letsencrypt seems like a good deal, where one is willing/needed to use (self signed expired certs used too, oooh, bad juju, I'd go away if I were you) LOL

Did you read my post above about acme-dns?

I did, I'll have a look, seems like some gyrations of mouth holding would take place. Might be a clue in there, if willing to allow 3rd party DNS mods. We shall see.

Thanks!!!

I guess I stopped reading after that line.

Who cares what my domain name is that's the target? Has nothing to do with the issue at hand.

scotty-watty-do-do.com, doesn't matter?

I notice, guys like me that have been on the job 20 years, don't create accounts, don't ask questions except under rare exceptions.

Everyone has either a simple solution, it does everything or we re-invented the wheel.

DNS at work has 1,500+ sub domains, 200 VM's and it ALL works without having to work all night fixing broke "stuff", short of major issues (not very often).

Yeah, I'm a lazy sysadmin, don't want anything to break, automate everything.

Then you should look for a DNS system that can be updated via API.
And an ACME client that can work with your O/S and DNS system.

Unfortunately, 9 times out of 10 - when someone says "this has nothing to do with the problem"...
It only wastes my time and inevitably ends up being a very large part of the problem.
So, I am no doubt very weary of anyone who fails to answer simple questions.
Especially that first question..
Right after being told:

Am I correct in assuming that general Debian solutions will work (mostly) on Ubuntu?

Maybe I'm reading too much into the question/statement.
In my experiences on this forum, Debian is often more like Ubuntu than say CentOS.
But there are still differences, and also similarities, amongst all Linux flavors.

That's a very broad umbrella.
Generally speaking: "general solutions" are that.
Solutions fitted to Debian seem to be less than general (to me).
But it remains that there exist solutions applied generally to Debian and which can also be applied elsewhere and thus are NOT specifically fitted to Debian - which could categorize them as "general Debian solutions" as well as just "general solutions".

Did I mention...
Maybe I'm reading too much into the question/statement.

Thank you @rg305. You answered my question.
I've never thought of Ubuntu and CentOS to be alike. I think of *BSD Unixes to be out of the same stable. And it feel that Debian and Ubuntu are out the same stable (as each other, not the same one as the *BSD).

Kind of my thought also.