Error when I try to get a multiple-domain wildcard certificate

Hi, my domain is cannabiswholesales.it

I tried using

./certbot-auto certonly --email info@cannabiswholesales.it --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --webroot -w /var/www/vhosts/cannabiswholesales.it -d *.cannabiswholesales.it -w /var/www/vhosts/cannabiswholesales.it -d cannabiswholesales.it -w /var/www/vhosts/mydomain2.it -d *.mydomain2.it -w /var/www/vhosts/mydomain2.it -d mydomain2.it -w /var/www/vhosts/mydomain3.it -d *.mydomain3.it -w /var/www/vhosts/mydomain3.it -d mydomain3.it

and this was the output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

I am running CentOS Linux 7.5.1804 (Core)
I'm sure I need wildcard and multiple-domain certificate.

Thank you very much!

You can’t use the webroot plugin for wildcard certificates, because the webroot plugin uses the http-01 challenge. Only the dns-01 challenge is accepted for wildcard certificates.

Hi @kmmc

Letsencrypt allows that, I use such a combination with an own client (*.example.com with dns-01-challenge, example.com with http-01-challenge).

Does it work if you use --manual as option? Or can you use complete dns-01-challenge?

1 Like

Thank you very much for the fast answer!
Is there any other way I can create the certificate wildcard for multi-domain which isn’t manual? (because I would like to set the auto renewal without having to write a dedicated script)

Depends on the DNS hosting provider you're using and if they have an API for which a client plugin is written.

Hi @Osiris
The domain are registered on Aruba but I’m managing everything directly on Plesk.
I tried using the plesk plugins (let’s encrypt plugin), because they recently added wildcards, and I can generate the wildcards for the different domain, but the problem is that I cannot use a proper certificate for the mail server which contains all the domains.

Is there any solution? am I missing something?

Thank you very much!

You need dns-01-challenge. But your command has a lot of -w - parameter. These parameters are only used with http-01-challenge, because this is the path to copy the challenge file.

So change your command to use only dns-01 (--preferred-challenges) and remove all -w elements.

Hi @Juergen

I understood I cannot use --webroot (that’s the reason of the -w), but for dns-01 what should I use? (considering that, as I said, I would like to avoid --manual and I would like to have the multi-domain wildcard certificate)

Thank you! :slight_smile:

You need a dns-provider, who has an api-support. And a plugin, as @Osiris wrote.

Check your dns-provider, then, if there are plugins. Perhaps you have to use another client.

But dns-01 should work.

1 Like

...or host your own limited DNS using acme-dns.

Hi @JuergenAuer sorry for my ignorance, but I'm new to this kind of stuff.
As I wrote I'm using plesk to manage dns, but I don't know for which kind of plugins I should look for.

I tried --webroot:

./certbot-auto certonly --preferred-challenges=dns-01 --email info@cannabiswholesales.it --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --webroot -w /var/www/vhosts/cannabiswholesales.it -d *.cannabiswholesales.it -w /var/www/vhosts/cannabiswholesales.it -d cannabiswholesales.it -w /var/www/vhosts/mydomain2.it -d *.mydomain2.it -w /var/www/vhosts/mydomain2.it -d mydomain2.it -w /var/www/vhosts/mydomain3.it -d *.mydomain3.it -w /var/www/vhosts/mydomain3.it -d mydomain3.it

and --standalone:

./certbot-auto certonly --preferred-challenges=dns-01 --standalone --email info@cannabiswholesales.it --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.cannabiswholesales.it -d cannabiswholesales.it -d *.mydomain2.it -d mydomain2.it -d *.mydomain3.it -d mydomain3.it

But I always get the same mistake:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin

so apparently I select a plugin (webroot or standalone), but no installer (no Idea of what this means) and the challenges are not supported (I tried both dns and dns-01, no idea of the difference).

Thank you very much!
Really appreciate your help and the time you're giving me! :slight_smile:

You should have a look there:

dns-01 is a challenge-method, you must use dns-01, because you want a wildcard certificate.

So you have to set a dns-entry (type txt), perhaps manual (_acme-challenge.cannabiswholesales.it). So you may (first, to test and learn it) create a certificate only for one single domain name *.cannabiswholesales.it

And there is an option --manual

You should first use the test-system (another --server - value), because there is a rate-limit.

1 Like

Another important piece of information is that the webroot and standalone authenticators don't support this method (and so can't be used to obtain wildcard certificates).

@JuergenAuer Yep, the Certbot guide is where I learned about --webroot and --standalone, but I missed that they were intended as plugins.
I just read the plugin part and checked everything better.

@schoen ok, so what would be the best way to proceed given my situation? (that support the dns, wildcard and multidomain)

I tried manual and it's working, the problem is that I could not put the auto-renewal of the certificate, that's why I'm trying to use other methods.

I just tried --apache, but I had an error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf on line 242: Syntax error',)
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf on line 242: Syntax error',)

Is it something known or I should manually change the "Atomic Basic ModSecurity" file?

You have already a wildcard-certificate https://www.cannabiswholesales.it/

Valid from Monday, 2018-07-23. How did you create that? How did you create the required dns-entry?

You can't use --apache, because you need to use dns-01 - validation, not http-01 - validation.

1 Like

Note, you could use -i apache -a manual (or any other supported plugin for DNS authentication), so that it will still use the Apache installer.

As for automating this, it really comes down to how you have your DNS set up. It can range from "very easy" to "kinda complex".

1 Like

@JuergenAuer Yep, meanwhile I did it with Let’s encrypt plugin for plesk just for the main domain and not for the other two, but plesk allow me to put only one certificate on the mailserver and I’m using the mailserver for 3 domains, that’s why I would like to have a multi-domain certificate.

You’re right on the --apache I realized now that there was a table in the certbot guide. I saw it is allowed on manual or DNS plugins, it means I have to use an esternal DNS provider like cloudflare and install one of those plugins or do it manual, right?
Does someone knows if there is any plan for certbot to simplify this procedure? (easy automation for manual or something else that will support for multidomain wildcards)

@jared.m Yep, I saw it could be kinda complex to automate the renewal with the manual plugin, that’s why I was trying to avoid it :joy: :sweat_smile:

Thank you all for the big help, I understood way more! :slight_smile:

There is, but it will take just a little bit of work. There's a program called acme-dns that was created just for this purpose by another community member. The way it works is that you set up a CNAME in your main DNS for _acme-challenge (see the acme-dns documentation for specifics), then acme-dns serves the challenge TXT record during the renewal process.

2 Likes

Yes, this is the next step.

Reading this list

https://certbot.eff.org/docs/using.html#certbot-commands

Certbot supports a lot of dns-apis.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.