Error creating new order


#1

I wanted to use wildcard for my site so i used below command

My domain is: zokcate.com

I ran this command: ./certbot-auto certonly --webroot -w /var/www/html/ -d zokcate.com -d www.zokcate.com -d *.zokcate.com

It produced this output: An unexpected error occurred:
The request message was malformed :: Error creating new order :: Domain name “www.zokcate.com” is redundant with a
wildcard domain in the same request. Remove one or the other from the certificate request.
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version): LAMP

The operating system my web server runs on is (include version): Debian 9.5

My hosting provider, if applicable, is: google cloud

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi,

Since you’ve already included a wildcard in your domain, why do you want to include the www?

(The www is included in the *…)

Also, wildcard domains can only be obtained through dns-01 validation. Hence it would throw an error even after this command being corrected.

Corrected command:
./certbot-auto certonly --webroot -w /var/www/html/ -d zokcate.com -d *.zokcate.com

Thank you

P.S. if your registrar does not support DNS via API, you should use ./certbot-auto certonly --manual -d zokcate.com -d *.zokcate.com


#3

Hi Stevenzhu,

Thanks for replying so quick.

Yes you are right, i even tried removing the www.zokcate.com and tried the following comand
./certbot-auto certonly --webroot -w /var/www/html/ -d zokcate.com -d *.zokcate.com
but then i got this error
Client with the currently selected authenticator does not support any combination of challenges that will satisfy t
he CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy t
he CA. You may need to use an authenticator plugin that can do challenges over DNS.

I will try with the above command.
Thanks


#4

Hi,

as per your suggestion when i run this command: ./certbot-auto certonly --webroot -w /var/www/html/ -d webzate.com -d *.webzate.com

i get this error
-bash: syntax error near unexpected token `(’

and when i run following command: ./certbot-auto certonly --webroot -w /var/www/html/ -d webzate.com -d *.webzate.com

i get this error
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.


#5

Hi,

Apologize for the command thing… I did a copy & paste while using my phone… and appraently it doesn’t work out…

If you want to use DNS Validation, there are two options…

If your DNS provider support automated validation (API Access) & a ACMEv2 client supports it, you could use those clients.

If not, you could just run the command ./certbot-auto certonly --manual -d zokcate.com -d '*.zokcate.com', which you would need to manually add the required DNS entry to your dns zones & you can’t renew automatically. (quote added according to @Osiris’s suggestion)

Thank you


#6

In bash, astrisks ("*") need to be incorporated in single quotes (') to use the symbol literally. Otherwise, bash will see it as the wildcard symbol for itself and tries to parse it.

Also, you can’t use the --webroot authenticator for wildcard hostnames. Use the dns-01 challenge with either the manual plugin (which needs scripts for automated renewal, see Pre and Post Validation Hooks for more info about that) or use one of the DNS plugins for certbot. Unfortunately, those plugins aren’t installed (yet?) when using certbot**-auto**.


#7

The command you provided worked for me
./certbot-auto certonly --manual -d zokcate.com -d ‘*.zokcate.com’

the output was to create a file and make it accessable to .well-known… i completed that and continue and then the message was to create a DNS TXT record so i just created a text record _acme-challenge.zokcate.com and added the value from the output and it asked me to verify the record before continue so when i try to visit _acme-challenge.zokcate.com nothing loads

Did i make any mistake?

also before running the above command i had used this command:
wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto

will i be able to access or see any value if i visit _acme-challenge.zokcate.com or should i just ignore and continue with the setup?

please correct me if i had made any mistake

Thanks


#8

The TXT record isn’t something to surf to with a webrowser. You’ll need to use a DNS client like dig to check it. You can use online tools for this, such as https://toolbox.googleapps.com/apps/dig/#TXT/

It seems your TXT record hasn’t been added properly or you’ve removed it again, I’m getting a rcode NXDOMAIN as answer.

Does your domain zokcate.com even exist? I can’t get any DNS record for it, not even an A record for the bare domain or the www hostname…


#9

Hi Osiris,

I deleted the zokcate.com entry it was for testing purpose

my production site is webzate.com and i had followed all the commands with this domain and i have attached the screenshot of TXT record dns of webzate.com

when i dig i see this results only
id 35555
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
webzate.com. IN TXT
;ANSWER
;AUTHORITY
webzate.com. 3 IN SOA ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300
;ADDITIONAL


#10

It works:

id 5849 opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION _acme-challenge.webzate.com. IN TXT ;ANSWER _acme-challenge.webzate.com. 299 IN TXT “S8iQmL62aMPn_Sp7ftSBZVX3nvZUKzpYVu1OlSmG1Ko” ;AUTHORITY ;ADDITIONAL

You have to request the whole hostname, including the _acme-challenge part.


#11

Hi Osiris,

Thanks for helping, I have successfully configured the ssl on my server and it works however it should the ssl is valid only for 90 days, can you please help me to understand how to renew my ssl after 90 days.

Thank you all.


#12

Hi,

After 90 days, you would need to execute the command again… And set the txt record again
./certbot-auto certonly --manual -d zokcate.com -d ‘*.zokcate.com’

Thank you


#13

Unfortunately, you’ll need to do this manually indeed as there still isn’t a solution on how to install extra plugins to certbot-auto.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.