Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
I am running CentOS Linux 7.5.1804 (Core)
I'm sure I need wildcard and multiple-domain certificate.
You can’t use the webroot plugin for wildcard certificates, because the webroot plugin uses the http-01 challenge. Only the dns-01 challenge is accepted for wildcard certificates.
Thank you very much for the fast answer!
Is there any other way I can create the certificate wildcard for multi-domain which isn’t manual? (because I would like to set the auto renewal without having to write a dedicated script)
Hi @Osiris
The domain are registered on Aruba but I’m managing everything directly on Plesk.
I tried using the plesk plugins (let’s encrypt plugin), because they recently added wildcards, and I can generate the wildcards for the different domain, but the problem is that I cannot use a proper certificate for the mail server which contains all the domains.
You need dns-01-challenge. But your command has a lot of -w - parameter. These parameters are only used with http-01-challenge, because this is the path to copy the challenge file.
So change your command to use only dns-01 (--preferred-challenges) and remove all -w elements.
I understood I cannot use --webroot (that’s the reason of the -w), but for dns-01 what should I use? (considering that, as I said, I would like to avoid --manual and I would like to have the multi-domain wildcard certificate)
Hi @JuergenAuer sorry for my ignorance, but I'm new to this kind of stuff.
As I wrote I'm using plesk to manage dns, but I don't know for which kind of plugins I should look for.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin
so apparently I select a plugin (webroot or standalone), but no installer (no Idea of what this means) and the challenges are not supported (I tried both dns and dns-01, no idea of the difference).
Thank you very much!
Really appreciate your help and the time you're giving me!
dns-01 is a challenge-method, you must use dns-01, because you want a wildcard certificate.
So you have to set a dns-entry (type txt), perhaps manual (_acme-challenge.cannabiswholesales.it). So you may (first, to test and learn it) create a certificate only for one single domain name *.cannabiswholesales.it
And there is an option --manual
You should first use the test-system (another --server - value), because there is a rate-limit.
Another important piece of information is that the webroot and standalone authenticators don't support this method (and so can't be used to obtain wildcard certificates).
@JuergenAuer Yep, the Certbot guide is where I learned about --webroot and --standalone, but I missed that they were intended as plugins.
I just read the plugin part and checked everything better.
@schoen ok, so what would be the best way to proceed given my situation? (that support the dns, wildcard and multidomain)
I tried manual and it's working, the problem is that I could not put the auto-renewal of the certificate, that's why I'm trying to use other methods.
I just tried --apache, but I had an error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf on line 242: Syntax error',)
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf on line 242: Syntax error',)
Is it something known or I should manually change the "Atomic Basic ModSecurity" file?
@JuergenAuer Yep, meanwhile I did it with Let’s encrypt plugin for plesk just for the main domain and not for the other two, but plesk allow me to put only one certificate on the mailserver and I’m using the mailserver for 3 domains, that’s why I would like to have a multi-domain certificate.
You’re right on the --apache I realized now that there was a table in the certbot guide. I saw it is allowed on manual or DNS plugins, it means I have to use an esternal DNS provider like cloudflare and install one of those plugins or do it manual, right?
Does someone knows if there is any plan for certbot to simplify this procedure? (easy automation for manual or something else that will support for multidomain wildcards)
@jared.m Yep, I saw it could be kinda complex to automate the renewal with the manual plugin, that’s why I was trying to avoid it
Thank you all for the big help, I understood way more!
There is, but it will take just a little bit of work. There's a program called acme-dns that was created just for this purpose by another community member. The way it works is that you set up a CNAME in your main DNS for _acme-challenge (see the acme-dns documentation for specifics), then acme-dns serves the challenge TXT record during the renewal process.