I want to create a certificate for multiple domains but it doesn't matter what the domains are example:
*.example.com
1 Like
That's called a wildcard certificate.
You can read more about it here:
FAQ - Let's Encrypt - Free SSL/TLS Certificates
4 Likes
Based on your example,
I think you mean multiple subdomains. In that case, @rg305’s answer will work great. Otherwise, you'll have to take the long way - using Certbot (or whatever ACME client you're using) for each domain.
3 Likes
This is what I need to do but I'm not sure how I have certbot installed but when I type in "*.example.com" it of course comes back with an error so how can I do this?
Please show the exact command(s) you tried and the exact errors.
3 Likes
root@dietpi:~# sudo certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.example.com
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
root@dietpi:~#
3 Likes
Certbot's error message here could probably be a lot more useful, but my intuition is that we didn't change this significantly because we wanted to keep it generic (because different CAs might have different policies about challenge types, or these policies might change over time—which the ACME protocol can express but which a client technically couldn't always anticipate).
@westhecool in this case there is a Let's Encrypt CA policy that wildcard certificates, with the *, can only be obtained using a DNS challenge. That is different from other certificates, and severely limits which Certbot authentication methods can be used for these certificates in particular—since only those that can change DNS records somehow will work (including --manual, which prompts you, the human, to change those records yourself). The --standalone method does not work for this because creating a temporary web server doesn't equate to being able to change DNS records (something that would not be necessary for non-wildcard certificates).
5 Likes
My big question is: given the command that you used (without --preferred-challenges), why were you only offered http-01 challenges? I figured you would at least be offered a manual dns-01 challenge.
1 Like
The list of authenticators is based on the installed authenticator plugins (apache, standalone, webroot). To be offered a DNS authenticator, you need to have a DNS plugin installed. Certbot's default install instructions do not (currently) include DNS plugins because there are so many of them, and some of them (like certbot-dns-route53) have dependencies that make them quite large.
2 Likes
Even manual DNS authentication is not available by default? 
I find this very surprising since:
- I haven't a clue how to install the manual DNS authenticator plugin
- I've guided hundreds of people through manual DNS authentication
1 Like
Manual mode is included in the packages installed under the default instructions, but it is "hidden from the UI" and ao doesn't show up in the list above. You have to pass --manual. See User Guide — Certbot 1.11.0.dev0 documentation
4 Likes
Thanks for that. It explains a lot. I typically specify exact behavior for help-seekers via a full host of parameters, so I'm not used to relying on presented selections.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.