How to configure certbot sh file for wildcard and auto renew?

Hi, I created certbot.sh for using in my docker. I want to use wildcard for my all subdomains and also i want to configure auto renew.

# This is my certbot.sh file
#!/bin/sh

# Waits for proxy to be available, then gets the first certificate.

set -e

until nc -z nginx 80; do
    echo "Waiting for proxy..."
    sleep 5s & wait ${!}
done

echo "Getting certificate..."

certbot certonly \
    --webroot \
    -w "/vol/www/" \
    -d "$DOMAIN" \
    -d *."$DOMAIN" \
    --email $EMAIL \
    --force-renewal \
    --rsa-key-size 4096 \
    --agree-tos \
    --noninteractive 

    

when i request for a certificate i get this error

Client with the currently selected authenticator does not support any combination of challenges that 
will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

How can i fix this error ?

My domain is: vultuskjkszpj.online

I ran this command: docker-compose -f docker-compose.prod.yml run --rm certbot /opt/certify-init.sh

when i request for a certificate i get this error

Client with the currently selected authenticator does not support any combination of challenges that 
will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

My web server is : nginx:1.23.0-alpine
I used Docker and Nginx with Python project python:3.11.0-slim
The operating system my web server runs on is : nginx:1.23.0-alpine

My hosting provider, if applicable, is:
I can login to a root shell on my machine

I'm using a control panel to manage my site

The version of my client is certbot/certbot:v1.27.0

Thank you

Using this online tool https://crt.sh/ here is a list of issued certificates crt.sh | vultuskjkszpj.online, the latest being 2022-12-20.

Using this online tool Let's Debug is presently showing 3 ERROR here https://letsdebug.net/vultuskjkszpj.online/1310927

Best Practice - Keep Port 80 Open

>nslookup vultuskjkszpj.online ns1.digitalocean.com
Server:         ns1.digitalocean.com
Address:        2400:cb00:2049:1::adf5:3a33#53

Name:   vultuskjkszpj.online
Address: 164.92.161.192
Name:   vultuskjkszpj.online
Address: 2a03:b0c0:3:d0::42:f001

Your server did not respond to having its IPv6 Address queried.

>curl -4 http://vultuskjkszpj.online/.well-known/acme-challenge/W9CtUKXlGhZtiT88ZgwTC7fs0-ZT329klwu0dCgiZ5M ; echo
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.23.3</center>
</body>
</html>

>curl -6 http://vultuskjkszpj.online/.well-known/acme-challenge/W9CtUKXlGhZtiT88ZgwTC7fs0-ZT329klwu0dCgiZ5M ; echo
curl: (28) Failed to connect to vultuskjkszpj.online port 80 after 75027 ms: Couldn't connect to server

1 Like

Please do not use --force-renewal. It does not fix problems and often causes more problems such as you becoming rate limited.

The reason for your error is you are using --webroot which is an HTTP Challenge. But, a wildcard cert requires a DNS Challenge. Review the certbot docs for how to do a DNS Challenge. Also:

5 Likes

Since you are using DigitalOcean for your DNS hosting, you'll want to install the certbot-dns-digitalocean plugin and use that. It is the primary way you can get a wildcard certificate. The webroot plugin isn't supported for wildcard certificates.

4 Likes

I deleted unnecessary dns for ıp6 and re run the debug that given by you. After debug the error fixed and test ok but i still get my error.

1 Like

Thanks for suggestion i deleted --force-renewal.
How can i configure my certbot.sh for http challage ?

1 Like

Hi @msozkan the best I can offer is to point to the Certbot documentation Welcome to the Certbot documentation! — Certbot 2.1.1 documentation
And @_az & @MikeMcQ are far more more knowledgeable Let's Encrypt community volunteers than I am; reread their posts to look of subtle clues while waiting for others to assist.

2 Likes

As @_az and @MikeMcQ indicated before, the HTTP challenge is not allowed (by Let's Encrypt's policy) for the issuance of a wildcard certificate. That's the reason that you see this error:

And that's why @_az suggested installing a DigitalOcean DNS plugin for Certbot, which would be able to handle the DNS challenge method (which is required by policy for wildcard certificates).

4 Likes

And, if you don't need a wildcard cert you can use the HTTP Challenge like you had it (removing the --force-renewal). Then just list all the domains with -d explicitly

3 Likes

And by the CA/Browser Forum Baseline Requirements :wink:

4 Likes

The current Baseline Requirement is CA-Browser-Forum BR 1.8.6 and from that document and searching for "This method is NOT suitable for validating Wildcard Domain Names." one will find these four

  • 3.2.2.4.8 IP Address
  • 3.2.2.4.18 Agreed-Upon Change to Website v2
  • 3.2.2.4.19 Agreed-Upon Change to Website - ACME
  • 3.2.2.4.20 TLS Using ALPN

Also under 1.2.2 Relevant Dates:
2021-12-01 3.2.2.4 CAs MUST NOT use methods 3.2.2.4.6, 3.2.2.4.18, or 3.2.2.4.19 to issue wildcard certificates or with Authorization Domain Names other than the FQDN.

2 Likes

Went undefined above.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.