Hi, I created certbot.sh for using in my docker. I want to use wildcard for my all subdomains and also i want to configure auto renew.
# This is my certbot.sh file
#!/bin/sh
# Waits for proxy to be available, then gets the first certificate.
set -e
until nc -z nginx 80; do
echo "Waiting for proxy..."
sleep 5s & wait ${!}
done
echo "Getting certificate..."
certbot certonly \
--webroot \
-w "/vol/www/" \
-d "$DOMAIN" \
-d *."$DOMAIN" \
--email $EMAIL \
--force-renewal \
--rsa-key-size 4096 \
--agree-tos \
--noninteractive
when i request for a certificate i get this error
Client with the currently selected authenticator does not support any combination of challenges that
will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
How can i fix this error ?
My domain is: vultuskjkszpj.online
I ran this command: docker-compose -f docker-compose.prod.yml run --rm certbot /opt/certify-init.sh
when i request for a certificate i get this error
Client with the currently selected authenticator does not support any combination of challenges that
will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
My web server is : nginx:1.23.0-alpine
I used Docker and Nginx with Python project python:3.11.0-slim
The operating system my web server runs on is : nginx:1.23.0-alpine
My hosting provider, if applicable, is:
I can login to a root shell on my machine
I'm using a control panel to manage my site
The version of my client is certbot/certbot:v1.27.0
Your server did not respond to having its IPv6 Address queried.
>curl -4 http://vultuskjkszpj.online/.well-known/acme-challenge/W9CtUKXlGhZtiT88ZgwTC7fs0-ZT329klwu0dCgiZ5M ; echo
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.23.3</center>
</body>
</html>
>curl -6 http://vultuskjkszpj.online/.well-known/acme-challenge/W9CtUKXlGhZtiT88ZgwTC7fs0-ZT329klwu0dCgiZ5M ; echo
curl: (28) Failed to connect to vultuskjkszpj.online port 80 after 75027 ms: Couldn't connect to server
Please do not use --force-renewal. It does not fix problems and often causes more problems such as you becoming rate limited.
The reason for your error is you are using --webroot which is an HTTP Challenge. But, a wildcard cert requires a DNS Challenge. Review the certbot docs for how to do a DNS Challenge. Also:
Since you are using DigitalOcean for your DNS hosting, you'll want to install the certbot-dns-digitalocean plugin and use that. It is the primary way you can get a wildcard certificate. The webroot plugin isn't supported for wildcard certificates.
As @_az and @MikeMcQ indicated before, the HTTP challenge is not allowed (by Let's Encrypt's policy) for the issuance of a wildcard certificate. That's the reason that you see this error:
And that's why @_az suggested installing a DigitalOcean DNS plugin for Certbot, which would be able to handle the DNS challenge method (which is required by policy for wildcard certificates).
And, if you don't need a wildcard cert you can use the HTTP Challenge like you had it (removing the --force-renewal). Then just list all the domains with -d explicitly
The current Baseline Requirement is CA-Browser-Forum BR 1.8.6 and from that document and searching for "This method is NOT suitable for validating Wildcard Domain Names." one will find these four
3.2.2.4.8 IP Address
3.2.2.4.18 Agreed-Upon Change to Website v2
3.2.2.4.19 Agreed-Upon Change to Website - ACME
3.2.2.4.20 TLS Using ALPN
Also under 1.2.2 Relevant Dates:
2021-12-01 3.2.2.4 CAs MUST NOT use methods 3.2.2.4.6, 3.2.2.4.18, or 3.2.2.4.19 to issue wildcard certificates or with Authorization Domain Names other than the FQDN.
