How to add another wildcard certificate?

Help
1

I need help making a change to my wildcard certificate.

I currently have a wildcard certificate with automated renewal using the acme-dns-certbot-hook and https://auth.acme-dns.io/register method. This certificate contains the following domains:
polisoftware.com.br
*.polisoftware.com.br
This is working fine.

My server is using:
Ubuntu 20.04.1 LTS
nginx version: nginx/1.18.0 (Ubuntu)
certbot 0.40.0

I recently tried adding another domain, also with a wildcard, so the certificate would have:
polisoftware.com.br
*.polisoftware.com.br
*.zrok.polisoftware.com.br

So I used the command:

sudo certbot run --cert-name polisoftware.com.br -a manual -d polisoftware.com.br, *.polisoftware.com.br, *.zrok.polisoftware.com.br -i nginx

This command prompted me for some DNS records for the challenges and a challenge file for the web server. I did everything required, and the certificate was successfully updated. I tested the new domain, test.zrok.polisoftware.com.br, to validate the certificate with https, and everything worked perfectly.

The problems started when I tried to renew it with the command:

certbot renew --dry-run

After adding *.zrok.polisoftware.com.br, the acme-dns-certbot-hook could no longer resolve the challenges.

I tried re-registering with:
curl -X POST https://auth.acme-dns.io/register and updating the configuration file using the hook.
I also updated the DNS records with the new challenges for the hook, as I had done before adding this new domain:
_acme-challenge.polisoftware.com.br
_acme-challenge.zrok.polisoftware.com.br
I tried several times and couldn't get the hook to work.

To get the certbot renew --dry-run command working again on the server, I had to remove *.zrok.polisoftware.com.br and redo the entire configuration.

I must be missing something, but I don't know what it could be.

Here are some errors I received in my numerous attempts. Any help is welcome:

certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/polisoftware.com.br.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator manual, Installer nginx
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for polisoftware.com.br
dns-01 challenge for zrok.polisoftware.com.br
dns-01 challenge for polisoftware.com.br
Running manual-auth-hook command: /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
Running manual-auth-hook command: /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
Running manual-auth-hook command: /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
Waiting for verification...
Challenge failed for domain polisoftware.com.br
dns-01 challenge for polisoftware.com.br
Cleaning up challenges
Attempting to renew cert (polisoftware.com.br) from /etc/letsencrypt/renewal/polisoftware.com.br.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: polisoftware.com.br
   Type:   unauthorized
   Detail: Incorrect TXT record
   "G8-9cel1NbzALWVJJZlrYJPVRtOXKQXeKamjCCZXcCc" (and 1 more) found at
   _acme-challenge.polisoftware.com.br

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
root@nginx:/etc/acme-dns# ping dns-01
ping: dns-01: Temporary failure in name resolution
root@nginx:/etc/acme-dns# vim /etc/letsencrypt/renewal/polisoftware.com.br.conf
root@nginx:/etc/acme-dns# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/polisoftware.com.br.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator manual, Installer nginx
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (polisoftware.com.br) from /etc/letsencrypt/renewal/polisoftware.com.br.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
root@nginx:/etc/acme-dns# vim /etc/letsencrypt/renewal/polisoftware.com.br.conf
root@nginx:/etc/acme-dns# ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=59 time=9.85 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=59 time=9.36 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=3 ttl=59 time=12.0 ms
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 9.355/10.386/11.956/1.128 ms
root@nginx:/etc/acme-dns# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/polisoftware.com.br.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator manual, Installer nginx
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for polisoftware.com.br
dns-01 challenge for zrok.polisoftware.com.br
dns-01 challenge for polisoftware.com.br
Running manual-auth-hook command: /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
Running manual-auth-hook command: /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
Running manual-auth-hook command: /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
Waiting for verification...
Challenge failed for domain polisoftware.com.br
Challenge failed for domain polisoftware.com.br
dns-01 challenge for polisoftware.com.br
dns-01 challenge for polisoftware.com.br
Cleaning up challenges
Attempting to renew cert (polisoftware.com.br) from /etc/letsencrypt/renewal/polisoftware.com.br.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: polisoftware.com.br
   Type:   unauthorized
   Detail: Incorrect TXT record
   "870fc80d-c438-46eb-9dc8-27976e327e74.auth.acme-dns.io" found at
   _acme-challenge.polisoftware.com.br

   Domain: polisoftware.com.br
   Type:   unauthorized
   Detail: Incorrect TXT record
   "870fc80d-c438-46eb-9dc8-27976e327e74.auth.acme-dns.io" found at
   _acme-challenge.polisoftware.com.br

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
root@nginx:/etc/acme-dns# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/polisoftware.com.br.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator manual, Installer nginx
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for polisoftware.com.br
dns-01 challenge for zrok.polisoftware.com.br
dns-01 challenge for polisoftware.com.br
Running manual-auth-hook command: /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
Running manual-auth-hook command: /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
Running manual-auth-hook command: /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
Waiting for verification...
Challenge failed for domain polisoftware.com.br
dns-01 challenge for polisoftware.com.br
Cleaning up challenges
Attempting to renew cert (polisoftware.com.br) from /etc/letsencrypt/renewal/polisoftware.com.br.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: polisoftware.com.br
   Type:   unauthorized
   Detail: Incorrect TXT record
   "xEnG8zMtlfBzuOhg_YYBZsFw6Wvkx1atBJEpa1oZ_bA" (and 1 more) found at
   _acme-challenge.polisoftware.com.br

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like
2

Hi @giorgiobazzo, I would strongly suggest using a newer version of Certbot 5.1.0 Release
See Certbot Instructions
After installing the updated Certbot please rerun certbot --version to verify the correct Certbot is being used.

1 Like
3

Unless OP is paying for Extended Security Maintenance, I would strongly suggest a newer version of Ubuntu LTS, too.

2 Likes
4

Thank you very much!

I had automated wildcard certificates a few years ago. I read the instructions you suggested, and they were very helpful.
I can see that it's much better now than it was back then.

In my case, I used the Route53 plugin; my DNS is on AWS, so I changed the command to:

certbot run --cert-name polisoftware.com.br --dns-route53 -d "polisoftware.com.br,*.polisoftware.com.br,*.zrok.polisoftware.com.br" -i nginx

I had to remove the spaces between the domains on the command line, because if there are spaces, I now get a "Requested domain is not a FQDN because it contains an empty label" error.

I had to delete the old _acme-challenge.polisoftware.com.br and _acme-challenge.zrok.polisoftware.com.br records from my DNS because they were causing conflicts during renewal.

Everything is now working as expected, and the great thing is that we no longer have to manually update the challenges in the DNS records.

Thanks again!

4 Likes
5

That was probably your Ubuntu shell interpreting the asterisk. Quoting the list probably would have worked too.

Glad they were able to help you sort it out. And, yes, automation is way more fun than manual challenges :slight_smile:

4 Likes
6

:partying_face:

Note: I edited your post for posterity to add backticks to fix the formatting and quotes per @MikeMcQ's suggestion.

4 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.