I ran this command: certbot certonly --apache --preferred-challenges http -d ‘.domain1.com’,domain1.com,’.domain2.com’,domain2.com,’*.domain3.com’,domain3.com
It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Obtaining a new certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
My web server is (include version): Apache/2.4.38 (Debian)
The operating system my web server runs on is (include version): Debian 10 (Buster)
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site: No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0
I have serveral (unrelated) domains running as virtual hosts on the same IP address. I want to issue a single multi-domain wildcard certificate for all. But I get above error when I issue the above command.
You’re trying to get a certificate containing a wildcard hostname. Let’s Encrypt currently only supports wildcard certificates through the dns-01 challenge, not any other challenge, including the http challenge you’ve specified.
certbot certonly --apache --preferred-challenges dns -d '*.domain1.com',domain1.com,'*.domain2.com',domain2.com,'*.domain3.com',domain3.com
I still get an error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Obtaining a new certificate Performing the following challenges: None of the preferred challenges are supported by the selected plugin
Nope! In Certbot jargon, --apache is an authenticator and --preferred-challenges dns is a challenge type. What’s more, the --apache authenticator does not support the dns challenge type at all—there is no compatibility between them.
By policy, Let’s Encrypt requires the DNS challenge method for wildcard certificates, but not for non-wildcard certificates. However, the Apache authenticator in Certbot works by reconfiguring your local Apache server. Since the Apache server doesn’t control or serve DNS records at all, there’s no way that configuring an Apache server could change the DNS records, so there’s no way for Certbot code that works by modifying Apache configurations can complete this challenge method as expected by the certificate authority for wildcard certificates.
Ok, I think I’m starting to understand how this works. I need to use one of the DNS plugins in order to get wildcard certificates. All domains are registered at GoDaddy. Am I correct to understand that none of the DNS plugins are for GoDaddy and that I should do manual DNS verification?
