Having great difficulty getting wildcard cert on my remote linode server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

www.bithouz.com

I ran this command:

$ history | tail
741 sudo apt-get install certbot python-certbot-apache
742 ls -al
743 sudo certbot --apache -d bithouz.com -d www.bithouz.com -d .bithouz.com -d www..bithouz.com
744 ls -al
745 less bithouz.conf
746 sudo certbot --apache -d .bithouz.com -d www..bithouz.com -d bithouz.com -d www.bithouz.com
747 sudo certbot --apache -d *.bithouz.com -d bithouz.com -d www.bithouz.com
748 sudo certbot --apache -d *.bithouz.com -d bithouz.com
749 history
750 history | tail

It produced this output:

$ sudo certbot --apache -d bithouz.com -d www.bithouz.com -d .bithouz.com -d www..bithouz.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): my-actual-email@my-real-email

---

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

---

(A)gree/(C)ancel: A

---

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

---

(Y)es/(N)o: N
Obtaining a new certificate
An unexpected error occurred:
Error creating new order :: Cannot issue for "www.*.bithouz.com": DNS name had a malformed wildcard label
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

• Your account credentials have been saved in your Certbot
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Certbot so
  making regular backups of this folder is ideal.

And

$ sudo certbot --apache -d .bithouz.com -d www..bithouz.com -d bithouz.com -d www.bithouz.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
An unexpected error occurred:
Error creating new order :: Cannot issue for "www.*.bithouz.com": DNS name had a malformed wildcard label
Please see the logfiles in /var/log/letsencrypt for more details.

And

$ sudo certbot --apache -d *.bithouz.com -d bithouz.com -d www.bithouz.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
An unexpected error occurred:
The request message was malformed :: Error creating new order :: Domain name "www.bithouz.com" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.
Please see the logfiles in /var/log/letsencrypt for more details.

And

$ sudo certbot --apache -d *.bithouz.com -d bithouz.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

Respectively

My web server is (include version):

$ apache2 -v
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2019-09-16T12:58:48

The operating system my web server runs on is (include version):

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic

My hosting provider, if applicable, is:

linode.com

I can login to a root shell on my machine (yes or no, or I don't know):

Yes via ssh and to a command shell (bash shell).

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

There is also a graphical control panel for linode in which I can manage dns records (among other things).

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

$ certbot --version
certbot 0.31.0

$ certbot-auto --version
certbot-auto: command not found

I want to have a wildcard certificate for both of my domains and strongly prefer for certbot to fill out the configuration in my apache configuration files for me (automatically). I do not want to fuss with adding the information manually in those configuration files. I currently have each domain with it's own config file in /etc/apache2/sites-availabe one is jfines.conf and the other is bithouz.conf I am unclear on 2 things: whether or not I need to use certbot-auto (as opposed to just certbot / certbot --apache) and (2) whether the complicated dns challege method is the only way to get a wildcard cert at this time. Isn't there a method that involves nothing more than running a simple command on the command line and being done with it? Is there no way to avoid method where creation of a dns record is involved? --> I just want this to be as simple and fool-proof as possible.

Ultimately, I would like clear instructions with step by step command(s) that I know I can rely on (ie: not from third pary web sites but from here where I can feel confident I'm being given the right information).

Thanks in advance for any help.

Jake

I think the combination of domains you’re going for is:

• *.bithouz.com
• bithouz.com

The others you are trying to include are invalid for the reasons described in the error messages.

The other thing to note is that you cannot obtain a wildcard certificate just using the Apache authenticator. Wildcards are special in that they require you to use DNS authentication.

Since you are using Linode for DNS hosting, you will need to use certbot-dns-linode.

Your final command will look something like:

certbot -i apache -a dns-linode \
--dns-linode-credentials ~/.secrets/certbot/linode.ini \
--dns-linode-propagation-seconds 1000 \    
-d "bithouz.com" -d "*.bithouz.com"

And that’s after you have read the website for the Certbot Linode plugin and created the credentials file at the nominated location (~/.secrets/certbot/linode.ini above).

Thank you. I’ve actually never done this before (using an api token). What is the corresponding component in the command given above to the “Label” field in linode?

^ shows what it looks like in the linode manager when creating the api token. To be clear. I’m trying to understand the connection between what I choose in the label field in linode manager compared to where it shows up in the command example above.

Would it be the “linode” in “~/.secrets/certbot/linode.ini above).” shown in the response? So that if I were to use the command given in the reply exactly as it is then I would use “linode” for the Label name when creating the api key?

I believe that “Label” is just a descriptive name, so you know why the token was created. It doesn’t have a functional impact.

For example, you could give it the label of “Certbot API Token for bithouz.com”.

Unfortunately I may have given you some rotten advice. It seems like python-certbot-dns-linode is not available for Ubuntu Bionic due to some packaging issues. So you would not be able to use it in this instance.

You can still get your wildcard, but perhaps not with Certbot. Would you consider using something like acme.sh? It can also do basically the same thing - https://github.com/Neilpang/acme.sh/wiki/dnsapi#14-use-linode-domain-api .

Yeah, I was getting errors trying to run that command. I hadn't really planned on doing this today; and, to be honest, have been putting it off because of the learning curve. No offense, but I don't understand why this has to be so complicated. I'll probably deal with it later when it becomes more critical or I can find some 'simple' working instructions. Tbh, I just don't want to learn all the ins and outs of another program right now. I just wanted to be instructed.

Appreciate your time.

If you change your mind or anyone wants to provide working instruction I can understand I would love that. Otherwise I'm basically back to figuring it out on my own.

PS: What exactly is being said here? That certbot cannot be used to obtain a wildcard cert on ubuntu? That would be strange.

Not really strange at all. Certbot is a bloated mess of dependencies and (IMO) rarely the best choice of ACME client.

Follow @_az' suggestion and use acme.sh. It's much simpler, has far fewer dependencies, and much better DNS host support. Its documentation for Linode DNS is at dnsapi · acmesh-official/acme.sh Wiki · GitHub.

To give a slightly more technical reason: because wildcard certificates require DNS challenges to be performed, Certbot has to understand how to talk to Linode's proprietary API to modify DNS records. This is the true for every single DNS host.

Getting this integration for every single DNS host into each operating system's package repositories is a bit complicated in the world of Python. @danb35 is right that Certbot have made life hard for themselves with how they deal with dependencies, but that is changing soon (I think) with snap packages.

It's also for that reason that many people prefer acme.sh if they have to deal with DNS validation, because it has implemented the integrations with the DNS hosts in a giant shell script with no complicated dependencies.

Certbot, of course, is capable of issuing a wildcard for your domain:

certbot certonly --manual -d "*.bithouz.com"

but it lacks the ability to automatically perform the DNS challenge without that extra Linode integration - requiring you to do it by hand.

And yeah, your feelings are reasonable. The state of DNS plugins in Certbot is a disappointing user experience right now.

I appreciate the clarification. I suppose it isn’t critical at this moment for me to implement https and I’ll have to decide how I want to do it (wildcard or not). This has really helped me see what some of the issues involved are and to start thinking about things a little more clearly. Thanks.

fwiw I’m sure I’ll be using acme.sh when I tackle this though

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.