Help using certbot on windows (with wildcard)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: t7.vc and leat.xyz

I ran this command:certbot certonly --webroot --preferred-challenges=dns and certbot certonly --webroot

It produced this output:

C:\PROGRA~2\Certbot>certbot certonly --webroot
Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.t7.vc t7.vc *.leat.xyz leat.xyz
Requesting a certificate for *.t7.vc and 3 more domains
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

C:\PROGRA~2\Certbot>certbot certonly --webroot --preferred-challenges=dns
Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.t7.vc t7.vc *.leat.xyz leat.xyz
Requesting a certificate for *.t7.vc and 3 more domains
None of the preferred challenges are supported by the selected plugin
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nodejs

The operating system my web server runs on is (include version): windows 10

My hosting provider, if applicable, is: namecheap

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.24.0

I have been waiting a long time for wildcard certs but cant seem to get them to work :frowning: if I dont add the wildcard it spits out the .pem files as expected.

Wildcard certificates require the dns-01 challenge and the webroot plugin can only do the http-01 challenge.

5 Likes

Thanks for the reply, I just now noticed I had actually had this same problem a year or more ago and posted it Error with wildcard on windows.

I also just noticed the reply, it seems from the reply back then that I would have to go through the namecheap API and program something myself? Or is there some way to get the dns-01 challenge to work already that I can use?

I'm still pretty confused how to actually get the wildcards working? Should I not be using the --webroot or the --standalone plugin and trying --manual? I'm going to try reading through more of the documentation from the reply I got last year tonight and hope that helps.

1 Like

Changing from Windows to Linux won't change your DSP [DNS Service Provider].
Automating wildcard certs requires API integration with your DSP.

2 Likes

Ok thanks, is there a provider that has an API that certbot already works with? I would switch from namecheap if that's the case I've been wanting wildcards for years.

1 Like

You should also review some of the other Windows ACME clients.
Like: CertifyTheWeb.com, Posh-ACME, and the latest version of Certbot
Look for the one that can integrate with your DSP.
If none can... then maybe it is time to switch DSPs.

3 Likes

Here's the built-in DNS plug-ins for Certbot
https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins

The ACME client acme.sh (see github) has built-in support for many more DSP's

Cloudflare is probably one of most popular

3 Likes

Does acme.sh work on Windows?

3 Likes

Also check here fo DNS providers who easily integrate with Let's Encrypt DNS validation

2 Likes

Oh, my bad. Probably not. But, do Certbot DNS plug-ins work ? I didn't think they were included on Windows.

Agree on your suggestion to look at other Windows based ACME clients like Certify The Web

4 Likes

Ok so for now I will check out other ACME clients, but for the record if swapping to linux is also easy enough for me then I could use the DNS plugin which doesnt work on windows without using another DSP or ACME client?

Thanks again for the help.

1 Like

Maybe this has changed but NameCheap does not allow automated API updates to DNS records unless you have a qualifying account which requires some fairly large annual spend.

Switching to linux means needing a suitable DNS provider to get a wildcard cert. And then using a client which supports that DNS provider.

My earlier link was DNS plug-ins for Certbot which work on Linux. The later topic shows 3rd party options. There are also clever options like acme-dns. But, easiest to use a DNS provider with a plug-in (with certbot or whatever other ACME client you prefer there are lots)

4 Likes

Darn ok I think I'm just to pleb for wildcards for now. I'll read more about it but it looks like I might just not be able to get my wildcard certs for free, at least not on namecheap then.. I have some workarounds that are annoying for now.

Here is a list of Free ACME CAs

1 Like

Im looking now for DSP on your first link.

If it says "FREE" then I can swap to them and eventually set up wildcards by using certbot dns plugin + linux for example (if it says its compatible with certbot too) and not pay a lot like I would with namecheap?

Fair enough. :slight_smile:

Ok then I'm switching DSP's. Ill post back randomly in the future with happy faces if it works <3 Take care everyone.

2 Likes

Cloudflare might be a DSP option.

3 Likes

I'd second this - Cloudflare works well for free basic domain DNS hosting (and optionally as a domain registrar, it's easy to transfer to them), plus they have a bunch of additional features that are useful such as web firewall and DDoS protection etc.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.