How to generate a wildcard cert with Let's Encrypt, if I don't have sudo access on my server?

Hello. My website and email are hosted by GoDaddy. I currently have a wildcard SSL certificate installed and in-use for my domains/sub-domains: everlooksolutions.com, www.everlooksolutions.com, and mail.everlooksolutions.com. That certificate will expire soon, and if possible, I’d like to install a new wildcard SSL certificate, via Let’s Encrypt. One issue is that I can SSH into my server, but I don’t have sudo access, so I can’t install certbot. But, via cPanel, I can install my own certificate (if I have the .crt file, or perhaps .crt/private key/cabundle). In light of this, is it possible to generate and install a wildcard SSL certificate on my server? If so, how would I approach that? Would I have to use certbot in manual mode to do so? If so, what would be my general approach? Would I have to install certbot on my home computer (Windows), then use the manual plugin (as per these instructions)?

See below for more info on my server. Thanks in advance.


My domain is: everlooksolutions.com (subdomains: www.everlooksolutions.com, and mail.everlooksolutions.com)

My web server is (include version): Apache v2.4.43

The operating system my web server runs on is (include version): Linux (unsure on flavor/version)

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know): I can SSH into my server, but don’t have sudo access.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 78.0 (build 49)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): N/A

1 Like

Hi @cagross

yes, that should always work.

certonly and --manual + dns validation to create a wildcard certificate.

Then you have the files and you should be able to upload these to your server.

But: You have to do that every 60 - 85 days.

2 Likes

yes, that should always work.
certonly and --manual + dns validation to create a wildcard certificate.

OK thanks. So how exactly do I approach this? I’ve never done it :-/ Are there instructions on exactly how to do this in Windows? Do I need to setup a local web server? If so, I can do so with XAMPP.

Or are you saying I can forego setting up a local web server, and instead use the manual plugin to create a certificate without setting up a web server of my own?

And it looks like I’ll need to use a DNS plugin as well, to create a wildcard certificate? Does it matter which DNS plugin I use? Looks like ‘no?’

But: You have to do that every 60 - 85 days.

Yep, understood. This is hopefully only a one time task. In ~2 months, I hope to migrate web hosting to a company other than GoDaddy–a company that provides me with free SSL certificates and renewals :slight_smile:

1 Like

You can run cerbot and obtain a certificate with DNS validation from your office/home machine. You do not need web access. You will need to update the DNS records for the domain(s) through.

1 Like

To expand on that slightly, when you use --manual without a DNS plugin, it will tell you exactly what DNS records to create. You can then create those exact DNS records manually in your DNS administration interface, and then tell Certbot to continue.

1 Like

@schoen OK thanks for that. So are you saying that I can still create a wildcard cert, without needing a DNS plugin? Or are you saying I would create three separate non-wildcard certs?

1 Like

You can create it without a DNS plugin, but not in an automated way, only in a manual way. The purpose of the DNS plugin is to help automate the process by allowing the software to create the DNS records, instead of asking you, the human, to create them.

1 Like

OK got it. So at what point during the process will I be asked to create DNS records? I ran certbot certonly --manual, and at one point it asked me:

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):

I entered my domain: everlooksolutions.com And in the end, it successfully created a certificate, with the files stored on my local computer. But if I add this cert to my GoDaddy hosting, will it apply to my domain and sub-domains, i.e. everlooksolutions.com, www.everlooksolutions.com, and mail.everlooksolutions.com? Or only everlooksolutions.com?

Or, when certbot asked for my domain name(s), should I have entered all three?

1 Like

that certificate is only valid for everlooksoultions.com exactly, LE will as a txt record for each name
so answer to your last question is yes.

1 Like

For the wildcard, instead of entering everlooksolutions.com at that prompt, you should enter

everlooksolutions.com *.everlooksolutions.com

Your certificate for the base domain isn’t a wildcard, and you weren’t prompted to create a TXT record because the TXT record method is only mandatory for wildcard certificates.

If you enter everlooksolutions.com *.everlooksolutions.com instead, you’ll be prompted to create the TXT record.

1 Like

One thing that sometimes isn’t obvious to people is that Certbot makes (at most) one new certificate each time you run it. So if you want a single certificate with several domains or several subdomains (which is perfectly permissible technically and policy-wise), you’ll have to specify them all to Certbot at the same time. If you run Certbot three different times, you’ll get three separate certificates (or fewer if some of the requests don’t complete successfully).

1 Like

OK I’m back–sorry for the delay. Here’s an update. I ran through certbot certonly --manual again. This time I specified my domain as everlooksolutions.com *.everlooksolutions.com. It then asked me to create a TXT record, and I did so (screenshot). But when I continued, certbot indicated it could not find that record (screenshot). Thoughts on how to troubleshoot that?

Do I need to wait X minutes (hours?) after adding the DNS TXT record, before certbot can see it?

You have created the wrong entry. And there is only one entry, two are required - see https://check-your-website.server-daten.de/?q=everlooksolutions.com#txt

Your menu adds the domain name, so the domain name is duplicated. Create entries only with _acme-challenge.

And your command has two domain names, so two entries with the same domain name, but different values are required.

Should look like

with two entries (not only one) and two “looks good”.

2 Likes

Hi @JuergenAuer. Thanks so much for the help so far–I appreciate it.

And there is only one entry, two are required

Sorry, just to be clear, is this to say that I need to create two separate TXT DNS entries? If so, will each entry have identical ‘domainname’ and ‘TXT entry?’

1 Like

no you well get two txt record to put in base domain(example.com), one for *.example.com , and other for example.com )

@orangepizza OK. So you’re saying I run certbot once, and when it asks:

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):

I should enter only everlooksolutions.com. This will generate one TXT record that I add to my DNS. After I do that, I need to run certbot a second time, and when it asks

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):

I then enter only *.everlooksolutions.com, and this will generate a second TXT record that I add to my DNS. Am I understanding that correctly?

Sorry for being detailed, but earlier in this thread I was specifically told otherwise, i.e. that when certbot asks

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):

I should enter: everlooksolutions.com *.everlooksolutions.com

Thanks.

1 Like

yes, domain name(S)

1 Like

That will give you one cert with both names on it.

1 Like

When you do this, you will get two different TXT records that should both be present in your DNS zone. They will have the same name (_acme-challenge) but different values. DNS zones are able to do this; just as you can have multiple A records with the same name (for DNS round-robin load balancing, for example), you can have multiple TXT records with the same name.

1 Like

@schoen Man, I’m pretty confused now :-/ I thought the goal was to run certbot one time to generate a single wildcard certificate. To do this, when certbot asks

Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’ to cancel):

I am to enter: everlooksolutions.com *.everlooksolutions.com Then, to apply this wildcard SSL cert to my site, certbot will provide one single TXT record, which I manually add to my DNS. This will then ensure my site has a single wildcard SSL certificate applied. Am I correct in that understanding, or am I misunderstanding something there?

It seems like I was told to do that early in this thread. But later the instructions changed, so that I was to run certbot twice: once specifying everlooksolutions.com as my domain and the second specifying *.everlooksolutions.com as my domain. I’m confused as to if I should run certbot once or twice :-/