How to issue ACMEv2 Wildcard with Certbot 0.22.0?

Please, man, not only keep your happiness to yourself. Share with the rest of world of what you did, better if in detail.

Here I’ve described what I’ve done.

ok,i try the follow command from another issue and it success.
./certbot-auto certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d "*.<your host>"
:grinning:
Any questions about that can reply me.i will solve it as i can.

6 Likes

Hi Uzpeng.

This command works perfectly for me. I’m using Ubuntu 17.10 virtual machine running in Virtual Box.

Thanks a lot!

:grinning:You are welcome,this is my first time to comment,it is my pleasure to help you.

1 Like

A post was split to a new topic: ACMEv2 and Certificate Websites

will this work with using apache, or it must be manual? also, can I re-issue an existing cert (i.e --cert-name)

You have to use a DNS-based authenticator (which can be -a manual, with or without a script to automate the DNS changes). You can still use the Apache installer, with -i apache. On the other hand, --apache tries to use both the Apache authenticator and installer, but the authenticator doesn't have a way to satisfy DNS challenges, so it can't obtain wildcard certificates.

It should be possible to use an existing --cert-name, but I'm not sure that all scenarios for that have been well-tested yet; if you run into problems with this, please let us know and we can try to sort it out. (Edit: I can think of a reason that it might fail, so I'll be very interested to hear about anyone's experience when trying this.)

Schoen;

Thanks for getting back to me.

I have a few questions.

  • why isnt the apache authenticator updated to handle dns-1 challenges dynamically? It would seem it shouldn’t be harder to enable it to be able to do so than with -a manual

  • any idea if there will be a 1and1 dns plug-in to enable automatic DNS TXT field updates to handle challenge, so certs can be renewed?

  • it still isn’t clear to me, even with info below, exactly what I need to do to use certbot to issue a wildcard cert and update apache conf file. At the moment, I have an include directive that points to letencrypt options-ssl-apache.conf file and SSLCertificateFile and SSLCertificateKeyfile directives as well, and simply run “certbot certonly —certname” when I need to add subdomains. Do I now just run certbot -a manual, issue a wildcard cert, and leave apache config file alone?

  • when wildcard certs are renewed, is a DNS challenge required as well?

Thanks in advance for any help or pointers to more details docs that actually answer these questions directly.

-Avi

1 Like

The DNS-01 challenges need DNS records to be updated. There's nothing you can do to an Apache instance that will have that effect. Most often, it requires a DNS zone update to happen on another server!

By contrast, -a manual doesn't know how to make any kind of updates. It simply tells the human user to make those updates, or runs a script that the user has provided that's claimed to have the effect of performing them.

Not offhand—do you know anything about what API they offer?

I'm still learning about this myself, as I was just mentioning in another thread. There's one case where you want a wildcard certificate to cover a specific virtual host by name (e.g. cover "mail.example.com" with a certificate for "*.example.com") and another case where you want a virtual host to cover all subdomains. I don't know what the Certbot Apache installer's behavior is in these two cases, but I'll try to learn that soon.

Yep!

Thanks for getting back to me.

The DNS-01 challenges need DNS records to be updated. There’s nothing you can do to an Apache instance that will have that effect. Most often, it requires a DNS zone update to happen on another server!

Sorry, I spoke very imprecisely. I had meant be able to specify a plugin/script to do DNS update while still using Apache authenticator "wrapped around" external DNS update; essentially update apache "as needed", but also do the external update to DNS as needed.

It feels like there are several pieces that must be put together to get wildcards to work properly, and given I have never used "manual", I have a nagging suspicion that there are some Apache things that will need to be done after manual cert issuance that will be neglected. In other words, I would really love to see certbot documentation cover a "full walkthrough" to issue wildcard and update Apache, if that makes sense.

I guess my meta-level question is why is DNS-01 required for wildcard support, when it isnt required on a per domain level? Shouldn't the DNS host return some aspect of Zone itself that should offset requiring a separate TXT string?

There’s one case where you want a wildcard certificate to cover a specific virtual host by name (e.g. cover “mail.example.com” with a certificate for “*.example.com”) and another case where you want a virtual host to cover all subdomains. I don’t know what the Certbot Apache installer’s behavior is in these two cases, but I’ll try to learn that soon.

Yes, we would be needing to use the very same. It sounds like there are still some corner-cases of wildcarding that need to worked out. Do let us know what you find out, and of course, if someone gets a chance, to update docs with any insights.

Thanks?

Hi Seth,

Was very interested in this thread as exactly what we are trying to implement. Have installed CertBot on another server last year and installed ok.

Blockquote If you want to obtain a wildcard certificate using Let's Encrypt's new ACMEv2 server, you'll also need to use one of Certbot's DNS plugins.

Looking at using he new wildcard option as discussed in this thread, however there appears to be a couple of roadblocks for us...
My Questions is do you have to explicitly use one of the listed DNS servers

  1. to be able to get a wildcard cert?
  2. Get auto renew to work?

May be stating the obvious here...
We are not connected with any of these and it would be major task to change our current provider to any one of these for this.

Thanks in advance.

This command worked perfectly. I just wanted to know if the renewal of wildcard certificate will use the same TXT record and if we can automate it using the script.

Thanks a lot…

You can get a wildcard cert using any DNS service, as long as it allows you to create TXT records and doesn't have other problems like CAA incompatibility. For automatic renewal though, you need to use a service with an API that's supported by the ACME client you're using, so for automatic renewal with Certbot you need a DNS service supported by Certbot (or else one that you're personally able to write hook scripts for).

1 Like

According to Seth from letsencrypt, the TXT string will need to be changed each time certbot needs to renew, which is why having a plugin for your domain host provider is a good thing to have, so that the TXT field update can be automated as well.

That is why I was asking the question. We have installed LetsEncrypt manually and know the txt file changes for each install/renew. Works great as a once off. It is the renewal's that we would want automated.
Wanting to understand so that I know how to implement the right process approach a solution.

Thanks

You would need to have a DNS hosting service that either 1. is supported by the letsencrypt dns plugins 2. has an API that allows you to change TXT records programmatically. Not many consumer-level services do.

Assuming you find a service that does, you would need to use the script hooks that will take the parameters from certbot, set the TXT record, then let certbot finish the DNS-challenge

Would mean we would need to use one of the listed DNS management systems. Will need to consider this as not as simple as moving.

Thanks for reply

If you are using tinydns running on the same server as Apache, the following works well for me. This assumes you already have a virtual host already configured for your domain. This is on Centos 7.

I have logged into my server, via ssh, as myloginusername, then su root. (Of course, for security, ssh is configured to not allow ssh connection as root.)

On command line

certbot certonly -d example.com -d *.example.com

In /etc/letsencrypt/cli.ini

manual
server = https://acme-v02.api.letsencrypt.org/directory
rsa-key-size = 4096
preferred-challenges = dns
manual-auth-hook = /path/to/certbot-dns-auth.sh
manual-cleanup-hook = /path/to/certbot-dns-auth-cleanup.sh

In certbot-dns-auth.sh

#!/bin/bash
cd /etc/tinydns/root
cp -f data data-good
echo "'_acme-challenge.$CERTBOT_DOMAIN:$CERTBOT_VALIDATION:120" >> data
./update.sh
# Sleep to make sure the change has time to propagate over to DNS
sleep 25

In certbot-dns-auth-cleanup.sh

#!/bin/bash
cd /etc/tinydns/root
head -n -1 data > tmp; mv -f tmp data
./update.sh

Note: I have tinydns running on a second server. The file update.sh in /etc/tinydns/root is a bash script that runs “make” to update the data.cdb file, and uses rsync to copy data and data.cdb to the other server. How to do that is another topic. (If requested, I can upload detailed instructions on how to set it up.) If you are only concerned with the one instance of tinydns, replace “./update.sh” with “make”

However, for interest’s sake, here is the content of update.sh

#!/bin/sh
make
rsync -avz -e "ssh -i /home/fredmc/rsync_key/ws1-rsync-key" /etc/tinydns/root/data.cdb myloginname@ws2:/etc/tinydns/root
rsync -avz -e "ssh -i /home/fredmc/rsync_key/ws1-rsync-key" /etc/tinydns/root/data myloginname@ws2:/etc/tinydns/root

I have the IP address of ws2 in /etc/hosts

I tried using -i apache to have the Apache plugin install the certificates, but it didn’t do anything that I can find.

I had to manually update my Apache virtual host entries. I keep a separate file for each virtual host. This is what it looks like after my update:

<VirtualHost *:80>
	ServerAdmin webmaster@example.com
	DocumentRoot /path/to/http/www
	ServerName example.com
	ServerAlias *.example.com

	# To automatically redirect to HTTPS
	RewriteEngine on
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
	<VirtualHost *:443>
		ServerAdmin webmaster@example.com
		DocumentRoot /path/to/http/www
		ServerName example.com
		ServerAlias *.example.com

		Include /etc/letsencrypt/options-ssl-apache.conf
		SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
		SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
	</VirtualHost>
</IfModule>

You probably have other lines in these entries.
This is for Apache < 2.4.8.
For Apache >= 2.4.8 change the lines starting with SSLCertificate… to

		SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
		SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

Do not include SLCertificateChainFile

The files update.sh, certbot-dns-auth.sh, and certbot-dns-auth-cleanup.sh must be executable.

I hope this helps someone.

What?

That is backdoor marketing for DNS they support. And since LE is effectively the only free certificate (was DNS before edit, mental freudian slip) provider...
ugly and infuriating.
So essentially you're forced to use expensive DNS providers.
Might as well pay for a proper cert then.
Seriously why would you do that?

Why isn't one TXT record enough to verify the validity of your claim?
And I mean why do you need to change the content of this TXT record every time you renew?
I just KNEW it was too good to be true. Free certs. Yeah. Pipe dream.