How to issue ACMEv2 Wildcard with Certbot 0.22.0?


#1

Hi,
How did you issue wildcard cert? I tried ./certbot-auto, the version is 0.22.0, but it failed to issue a wildcard cert. Which tool did you use?

Thanks.


ACME v2 and Wildcard Certificate Support is Live
ACME v2 and Wildcard Certificate Support is Live
#2

I used the acme.sh client and it worked like a charm :wink:


#3

Thanks, will have a try!


#4

A post was split to a new topic: ACME v2 missing JWS header with acme.sh


#5

For the certbot-auto, it needs to use --server, for example,
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d *.ymeng.net --manual --preferred-challenges dns-01 certonly


#6

2 posts were split to a new topic: Certbot 0.21.x and ACMEv2


Certbot 0.21.x and ACMEv2
#7

Please, man, not only keep your happiness to yourself. Share with the rest of world of what you did, better if in detail.


#8

Here I’ve described what I’ve done.


#9

ok,i try the follow command from another issue and it success.
./certbot-auto certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d "*.<your host>"
:grinning:
Any questions about that can reply me.i will solve it as i can.


#10

Hi Uzpeng.

This command works perfectly for me. I’m using Ubuntu 17.10 virtual machine running in Virtual Box.

Thanks a lot!


#11

:grinning:You are welcome,this is my first time to comment,it is my pleasure to help you.


#12

A post was split to a new topic: ACMEv2 and Certificate Websites


#13

will this work with using apache, or it must be manual? also, can I re-issue an existing cert (i.e --cert-name)


#14

You have to use a DNS-based authenticator (which can be -a manual, with or without a script to automate the DNS changes). You can still use the Apache installer, with -i apache. On the other hand, --apache tries to use both the Apache authenticator and installer, but the authenticator doesn’t have a way to satisfy DNS challenges, so it can’t obtain wildcard certificates.

It should be possible to use an existing --cert-name, but I’m not sure that all scenarios for that have been well-tested yet; if you run into problems with this, please let us know and we can try to sort it out. (Edit: I can think of a reason that it might fail, so I’ll be very interested to hear about anyone’s experience when trying this.)


#15

Schoen;

Thanks for getting back to me.

I have a few questions.

  • why isnt the apache authenticator updated to handle dns-1 challenges dynamically? It would seem it shouldn’t be harder to enable it to be able to do so than with -a manual

  • any idea if there will be a 1and1 dns plug-in to enable automatic DNS TXT field updates to handle challenge, so certs can be renewed?

  • it still isn’t clear to me, even with info below, exactly what I need to do to use certbot to issue a wildcard cert and update apache conf file. At the moment, I have an include directive that points to letencrypt options-ssl-apache.conf file and SSLCertificateFile and SSLCertificateKeyfile directives as well, and simply run “certbot certonly —certname” when I need to add subdomains. Do I now just run certbot -a manual, issue a wildcard cert, and leave apache config file alone?

  • when wildcard certs are renewed, is a DNS challenge required as well?

Thanks in advance for any help or pointers to more details docs that actually answer these questions directly.

-Avi


#16

The DNS-01 challenges need DNS records to be updated. There’s nothing you can do to an Apache instance that will have that effect. Most often, it requires a DNS zone update to happen on another server!

By contrast, -a manual doesn’t know how to make any kind of updates. It simply tells the human user to make those updates, or runs a script that the user has provided that’s claimed to have the effect of performing them.

Not offhand—do you know anything about what API they offer?

I’m still learning about this myself, as I was just mentioning in another thread. There’s one case where you want a wildcard certificate to cover a specific virtual host by name (e.g. cover “mail.example.com” with a certificate for “*.example.com”) and another case where you want a virtual host to cover all subdomains. I don’t know what the Certbot Apache installer’s behavior is in these two cases, but I’ll try to learn that soon.

Yep!


#17

Thanks for getting back to me.

The DNS-01 challenges need DNS records to be updated. There’s nothing you can do to an Apache instance that will have that effect. Most often, it requires a DNS zone update to happen on another server!

Sorry, I spoke very imprecisely. I had meant be able to specify a plugin/script to do DNS update while still using Apache authenticator “wrapped around” external DNS update; essentially update apache “as needed”, but also do the external update to DNS as needed.

It feels like there are several pieces that must be put together to get wildcards to work properly, and given I have never used “manual”, I have a nagging suspicion that there are some Apache things that will need to be done after manual cert issuance that will be neglected. In other words, I would really love to see certbot documentation cover a “full walkthrough” to issue wildcard and update Apache, if that makes sense.

I guess my meta-level question is why is DNS-01 required for wildcard support, when it isnt required on a per domain level? Shouldn’t the DNS host return some aspect of Zone itself that should offset requiring a separate TXT string?

There’s one case where you want a wildcard certificate to cover a specific virtual host by name (e.g. cover “mail.example.com” with a certificate for “*.example.com”) and another case where you want a virtual host to cover all subdomains. I don’t know what the Certbot Apache installer’s behavior is in these two cases, but I’ll try to learn that soon.

Yes, we would be needing to use the very same. It sounds like there are still some corner-cases of wildcarding that need to worked out. Do let us know what you find out, and of course, if someone gets a chance, to update docs with any insights.

Thanks?


#18

Hi Seth,

Was very interested in this thread as exactly what we are trying to implement. Have installed CertBot on another server last year and installed ok.

Blockquote If you want to obtain a wildcard certificate using Let’s Encrypt’s new ACMEv2 server, you’ll also need to use one of Certbot’s DNS plugins.

Looking at using he new wildcard option as discussed in this thread, however there appears to be a couple of roadblocks for us…
My Questions is do you have to explicitly use one of the listed DNS servers

  1. to be able to get a wildcard cert?
  2. Get auto renew to work?

May be stating the obvious here…
We are not connected with any of these and it would be major task to change our current provider to any one of these for this.

Thanks in advance.


#19

This command worked perfectly. I just wanted to know if the renewal of wildcard certificate will use the same TXT record and if we can automate it using the script.

Thanks a lot…


#20

You can get a wildcard cert using any DNS service, as long as it allows you to create TXT records and doesn’t have other problems like CAA incompatibility. For automatic renewal though, you need to use a service with an API that’s supported by the ACME client you’re using, so for automatic renewal with Certbot you need a DNS service supported by Certbot (or else one that you’re personally able to write hook scripts for).