Followed the info but got an error

I know it's not ideal. The short certificate lifetime makes manual action tedious. I'll try to tag in someone who has creative ways of working with organizations and entities with specific requirements. I'm not sure if he's around right now, but hopefully he'll see this soon.

@jvanasco

Any thoughts here?

2 Likes

Thanks, because we would like to keep our systems as simple as possible, and renewing 300 user subdomains separately is not an option to us. Not to mention that it is quite a requirement for us to keep all the scripts and daemons in check as we have local users on our systems.

2 Likes

I think the colleague I tagged is exactly the right person to help with this. Since most of us are volunteers here, I don't know if/when he'll be around. He contributes here quite frequently though, so I have good hope. Someone else might come around in the meantime though. I'm not the best expert yet in these scenarios. :pensive:

2 Likes

It is okay, thank you.

3 Likes

How did this work on the previous issuance/renewal?

2 Likes

I did manually, including editing my zone file.

2 Likes

Then you should be able to redo those steps now and get your site secure now.
Once that is fixed, then you will have 90 days to figure out how to automate this.
It is not rocket science - millions of people have done it; and we are here to help you with that.

But I would deal with the real problem first.

3 Likes

@platyna You can also use the certbot-dns-rfc2136 plugin which is just like the nsupdate command.

I also run my own BIND and have used the certbot-dns-rfc2136 plugin without any trouble.

That being said, I do want to add a little bit about your behaviour in this thread. My fellow volunteers are trying to help you in their spare time and reacting with comments like "I don't care if it is interactive or not, I just want it to renew and it doesn't work." aren't helpful. It also seems to indicate a certain lack of knowledge about how Let's Encrypt actually works and how certbot actually works.

And your remark "but giving me link to the list of command line options for certbot (which is not even a version I am using) is not really helpful" suggests you require a spoon-fed solution. However, I'd like to remind you again that, like almost everyone on this Community, @griffin and @rg305 (and me for that matter) are unpaid volunteers just trying to help. So if someone suggests to read command line options (with already having suggested the required two command line options earlier!) I think it would be fit to reply with that in mind. The proper reply would be something like "Thanks, I'll take a look into that!". Now, it feels very, very ungrateful.

5 Likes

Thank you for your suggestion about the plugin.

Please do not post off-topic ad personam trips, I do not appreciate them and I don't want to read them, especially in technical issue threads. Thank you.

It's not intended as an ad hominem, just saying you can catch more flies with honey than with vinegar. For example, your statement just now makes me ignore this thread from now on, even if you might have questions or troubles about the aformentioned plugin. That's all on you :slight_smile: I'm not a help desk employee required to help you, it's my personal choice to help you or not. And I choose not to from now on. Best of luck to you.

3 Likes

I feel so included in that [snippet of a] sentence.
It truly says it all about this entire topic conversation.
And with that, I also say "Good Day to You".

3 Likes

I do not force anyone to reply to my technical issues. Please stop this, this very uncomfortable for me, I prefer to speak about technical issues not feelings or personal issues.

If I am not welcome I may leave. I just need an instruction how to delete my account, because I do not see an option in my profile to so do.

You have it all backwards.
We are the ones not feeling welcomed and we are leaving this topic.
There may be others that will come around to help you - don't give up so quickly.

2 Likes

You can participate or not, no need to inform me about it, and I still have no idea how is that banana picture related to wildcard certificate renewal.

It's not; That's just a "paid political advertisement" - LOL

#ApeStrongTogether

1 Like

I have no idea how it is going to be helpful in this case...

Hi Everyone,

This topic is getting a little bit away from the original request. Please remember to follow our Comunity Guidelines while interacting with each other on the forum.

Specifically keep in mind:

Our Standards

Examples of behavior that contributes to a positive environment for our community include:

  • Demonstrating empathy and kindness toward other people
  • Being respectful of differing opinions, viewpoints, and experiences
  • Giving and gracefully accepting constructive feedback
  • Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
  • Focusing on what is best not just for us as individuals, but for the overall community
4 Likes

A post was split to a new topic: Instructions for renewing ACME wildcard certificates

@platyna, the big challenges for this situation are:

(1) By its policy, the Let's Encrypt CA requires you to use (only) the DNS challenge method for wildcard certificates.

(2) By industry policy, the specific token that you have to post for the DNS challenge will have to be different every time.

That means that you need some way to post new token values in DNS automatically, if you want to use Let's Encrypt and get automated renewals of wildcard certificates. You could also give up on any one of these three things (don't use wildcard certificates, don't use automated renewals, or don't use Let's Encrypt).

I think the rfc2136 method that @Osiris mentioned before is the closest "intended" or "official" way to do automated wildcard certificate renewals with Certbot when you run your own BIND.

If you don't want to make changes to your DNS zones at all, there is one other option: since the challenge validation follows CNAME records, you could also make _acme-challenge.platinum.edu.pl be a CNAME pointing to _acme-challenge in some other domain (it doesn't have to be a subdomain of your domain, and doesn't have to be hosted on the nameserver). In that case, you can update the DNS records elsewhere, on some other DNS server, over that other server's API, and that will be considered valid proof of control for your wildcard renewal. This still requires some configuration work because you still have to configure the Certbot plugin (and find a way to get a DNS zone hosted somewhere else with an API for zone updates), but in that case it wouldn't have to be updates to your own servers, services, or zone files that get made as part of the validation process.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.