Getting wildcard certificates with Certbot

erica · March 14, 2018, 11:27pm

If you want to obtain a wildcard certificate using Let’s Encrypt’s new ACMEv2
server, you’ll also need to use one of Certbot’s DNS plugins. Your Certbot version must be at least 0.22.0.

If you’re on CentOS/RHEL 7, Arch Linux, or Fedora 26+, you can install the appropriate Certbot DNS plugin for your DNS provider, as described below. Particular instructions for each provider can be found at certbot.eff.org. If you’re not on one of these distros and want a wildcard certificate ASAP, you have two options: install packages using Docker or use Certbot’s manual plugin.

Docker is an amazingly simple and quick way to obtain a certificate. However, this mode of operation is unable to install certificates or configure your webserver, because Certbot’s installer plugins cannot reach your webserver from inside the Docker container.

Alternatively, the manual plugin can be used outside of a Docker image, and therefore interact with webservers to install the certificates, but it cannot be used to automatically renew the certificates.

Either way, for now you’ll need to add the --server flag to specify the new endpoint:

--server https://acme-v02.api.letsencrypt.org/directory

Note: 0.22.0 users should not attempt to use --dry-run or --staging, as these flags tell Certbot to use the ACMEv1 staging endpoint. This was fixed for 0.22.1+.

Option 1: Run Certbot in Docker

We recommend reading the full instructions, available here: https://certbot.eff.org/docs/install.html#running-with-docker

In short, there are Docker images for each of Certbot’s DNS plugins available at https://hub.docker.com/u/certbot which automate doing domain validation over DNS for popular providers.

Information about specific DNS plugins can be found here: https://certbot.eff.org/docs/using.html#dns-plugins

Option 2: Use the manual plugin

You can install the manual plugin using certbot-auto:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

certbot-auto accepts the same flags as certbot; it installs all of its own dependencies and updates the client code automatically.

Then, the command to use the manual plugin will look something like this:

./certbot-auto certonly --manual -d *.example.com -d example.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Make certain that certbot-auto isn’t being run with --no-self-upgrade, so that the latest version is fetched.

Osiris · March 15, 2018, 6:37am

Could be I'm blind, but I'm not seeing any description on how to install the DNS plugins with the mentioned distributions.

Also, with Gentoo it's also childs play to install a DNS plugin for certbot. Only the ebuild(s) aren't available publically. I've made one for the RFC2136 plugin, but can't upload the ebuild at this moment.

victe · March 15, 2018, 1:49pm

Maybe it is interesting to note that you need two TXT DNS records with the same name but different content as noted in: In manual authenticator, explain that earlier challenges shouldn't be replaced by later ones #5729 and Fix requesting a certificate for a wildcard and the base domain in our lexicon plugins #5673, one for *.example.com and the other for example.com.

Also, you must assure that the key is deployed before continue, for instance with (if you are on GNU/Linux):

host -t txt _acme-challenge.example.com

After the first challenge you must have one result, and after the second challenge you must have two results.

georgeperez · March 15, 2018, 7:14pm

I had the same thought. Regardless, the actual instructions to install the DNS plugins are in the install page. https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

Basically, replace certbot in the install command with the DNS plugin you need i.e. certbot-dns-digitalocean for Digitalocean.

That said, this worked better than the instructions listed creating new wildcard certs (Note: this one renews an existing cert called example.org):

sudo certbot certonly --cert-name example.org \
	--dns-digitalocean \
	--dns-digitalocean-credentials ~/digitalocean.ini \
	--server https://acme-v02.api.letsencrypt.org/directory \
	-d "*.example.org" -d example.org

erica · April 14, 2018, 7:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.