Hello. My website and email are hosted by GoDaddy. I currently have a wildcard SSL certificate installed and in-use for my domains/sub-domains: everlooksolutions.com, www.everlooksolutions.com, and mail.everlooksolutions.com. That certificate will expire soon, and if possible, I’d like to install a new wildcard SSL certificate, via Let’s Encrypt. One issue is that I can SSH into my server, but I don’t have sudo access, so I can’t install certbot. But, via cPanel, I can install my own certificate (if I have the .crt file, or perhaps .crt/private key/cabundle). In light of this, is it possible to generate and install a wildcard SSL certificate on my server? If so, how would I approach that? Would I have to use certbot in manual mode to do so? If so, what would be my general approach? Would I have to install certbot on my home computer (Windows), then use the manual plugin (as per these instructions)?
See below for more info on my server. Thanks in advance.
yes, that should always work. certonly and --manual + dns validation to create a wildcard certificate.
OK thanks. So how exactly do I approach this? I've never done it :-/ Are there instructions on exactly how to do this in Windows? Do I need to setup a local web server? If so, I can do so with XAMPP.
Or are you saying I can forego setting up a local web server, and instead use the manual plugin to create a certificate without setting up a web server of my own?
And it looks like I'll need to use a DNS plugin as well, to create a wildcard certificate? Does it matter which DNS plugin I use? Looks like 'no?'
But: You have to do that every 60 - 85 days.
Yep, understood. This is hopefully only a one time task. In ~2 months, I hope to migrate web hosting to a company other than GoDaddy--a company that provides me with free SSL certificates and renewals
You can run cerbot and obtain a certificate with DNS validation from your office/home machine. You do not need web access. You will need to update the DNS records for the domain(s) through.
To expand on that slightly, when you use --manual without a DNS plugin, it will tell you exactly what DNS records to create. You can then create those exact DNS records manually in your DNS administration interface, and then tell Certbot to continue.
@schoen OK thanks for that. So are you saying that I can still create a wildcard cert, without needing a DNS plugin? Or are you saying I would create three separate non-wildcard certs?
You can create it without a DNS plugin, but not in an automated way, only in a manual way. The purpose of the DNS plugin is to help automate the process by allowing the software to create the DNS records, instead of asking you, the human, to create them.
For the wildcard, instead of entering everlooksolutions.com at that prompt, you should enter
everlooksolutions.com *.everlooksolutions.com
Your certificate for the base domain isn’t a wildcard, and you weren’t prompted to create a TXT record because the TXT record method is only mandatory for wildcard certificates.
If you enter everlooksolutions.com *.everlooksolutions.com instead, you’ll be prompted to create the TXT record.
One thing that sometimes isn’t obvious to people is that Certbot makes (at most) one new certificate each time you run it. So if you want a single certificate with several domains or several subdomains (which is perfectly permissible technically and policy-wise), you’ll have to specify them all to Certbot at the same time. If you run Certbot three different times, you’ll get three separate certificates (or fewer if some of the requests don’t complete successfully).
OK I’m back–sorry for the delay. Here’s an update. I ran through certbot certonly --manual again. This time I specified my domain as everlooksolutions.com *.everlooksolutions.com. It then asked me to create a TXT record, and I did so (screenshot). But when I continued, certbot indicated it could not find that record (screenshot). Thoughts on how to troubleshoot that?
Do I need to wait X minutes (hours?) after adding the DNS TXT record, before certbot can see it?
Hi @JuergenAuer. Thanks so much for the help so far--I appreciate it.
And there is only one entry, two are required
Sorry, just to be clear, is this to say that I need to create two separate TXT DNS entries? If so, will each entry have identical 'domainname' and 'TXT entry?'
@orangepizza OK. So you’re saying I run certbot once, and when it asks:
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):
I should enter onlyeverlooksolutions.com. This will generate one TXT record that I add to my DNS. After I do that, I need to run certbot a second time, and when it asks
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):
I then enter only*.everlooksolutions.com, and this will generate a second TXT record that I add to my DNS. Am I understanding that correctly?
Sorry for being detailed, but earlier in this thread I was specifically told otherwise, i.e. that when certbot asks
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):
I should enter: everlooksolutions.com *.everlooksolutions.com
When you do this, you will get two different TXT records that should both be present in your DNS zone. They will have the same name (_acme-challenge) but different values. DNS zones are able to do this; just as you can have multiple A records with the same name (for DNS round-robin load balancing, for example), you can have multiple TXT records with the same name.
@schoen Man, I'm pretty confused now :-/ I thought the goal was to run certbot one time to generate a single wildcard certificate. To do this, when certbot asks
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):
I am to enter: everlooksolutions.com *.everlooksolutions.com Then, to apply this wildcard SSL cert to my site, certbot will provide one single TXT record, which I manually add to my DNS. This will then ensure my site has a single wildcard SSL certificate applied. Am I correct in that understanding, or am I misunderstanding something there?
It seems like I was told to do that early in this thread. But later the instructions changed, so that I was to run certbot twice: once specifying everlooksolutions.com as my domain and the second specifying *.everlooksolutions.com as my domain. I'm confused as to if I should run certbot once or twice :-/