I need help with ./certbot-auto --apache


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: xtremeirc.net

I ran this command: ./certbot-auto --apache

It produced this output: root@xtremeirc:~# ./certbot-auto --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): landslyde@mail.com


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory


(A)gree/©ancel: a


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: n
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): xtremeirc.net *.xtremeirc.net
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

My web server is (include version): ./path/to/certbot-auto --apache

The operating system my web server runs on is (include version): Debian 8

My hosting provider, if applicable, is: hostsailor.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @Slyde

if you want to create a wildcard certificate, you must use dns-01 - validation.

So you have to create two dns txt entries with the same name

_acme-challenge.xtremeirc.net

and different values (one per domain name). So there are two options:

  • You use the --manual - option to create these two txt entries manual

  • Your dns provider supports an API, there is a certbot plugin that supports this api.


#3

@JuergenAuer certbot-auto doesn’t have a supported way to install DNS plugins.


#4

Thanks, this is bad.

Perhaps acme.sh is a better option. There was a Certbot with Debian 8

but now:

Note for existing Debian 8 Certbot users

NOTE : We previously suggested using the operating system-provided packaged version of Certbot on Debian 8 (jessie). Because of important updates in the Certbot code, we are now recommending that Debian 8 users switch to the certbot-auto method, described below.


#5

Yes, I think acme.sh is a more practical suggestion for @Slyde in this context. (Assuming you need a wildcard certificae and your DNS provider has an API.)

The Certbot developers are still working on figuring out a better way to handle DNS plugins, including how to manage their installation in conjunction with certbot-auto. For now, there isn’t a straightforward way to automate wildcard issuance and renewal with certbot-auto unless you can write your own script to handle the DNS updates (called a --manual-auth-hook script).


#6

Is there documentation for a layman on how to do this? Clear, easy-to-follow instructions is what I’m looking for.

Thank you.


#7

You have to go to your dns settings. Then check, if you can create new txt entries.

Perhaps share a screenshot of your menu.


#8

Given the minimal amount of information provided, how can anyone direct you… anywhere?
Your question:

Does not describe any problem nor specific situation that I can see to help you with.

So…
What exactly are you trying to do that you need instructions on?


#9

Aside from the incorrect entry on my web server, which should have been Apache/2.4.10 (Debian), I see no fault in my answers. One way or the other. If more information was needed, I certainly didn’t see where I was asked for it. Perhaps I missed something.

Does not describe any problem nor specific situation that I can see to help you with.

I’m trying to get a wildcard certificate (or certificates). I need one for xtremeirc.net and *.xtremeirc.net.
This is my first time to use letsencrypt, and I’m certainly lost at this point. I would appreciate a response that gives me clear, concise instructions so that I may be able to accomplish this task. If more information is needed from me, please, just ask. No sense in trying to make me look bad just for the sake of doing it. In the first place, I don’t like being here; no one ever likes asking for help. But to be chided when asking for it certainly sends out bad vibes. So, rg305, if you don’t care to help me, please step aside so another may.

Thank you.


#10

Hi @Slyde,

Who is your DNS provider and what options do you have for updating DNS entries for your domain?

Let’s Encrypt has a policy that requires DNS entry authentication for wildcard certificates, unlike non-wildcard certificates. Software configuration for the DNS authentication method can be more difficult than other methods, and depends a lot on the details of your DNS hosting.


#11

@rg305, I agree that @Slyde filled in everything that was requested on the form. Maybe we need another form in case someone is trying to get a wildcard certificate, because we commonly need more information in that case, but I’m not sure how we would do that with this forum software.


#12

Hello schoen,

I have my domain name from one place and use the hosting services of another. I believe the dns server are with the domain name. This would be www.1and1.com. And my server host is www.hostsailor.com.

With 1and1, I have access to the DNS information: i.e. dns1 & dns2. Is that what we’re looking for? Or do I need to contact them and ask for something specific?


#13

That looks good. Share a screenshot or try to create a new txt entry.

PS: There you can create new A entries (your domain name -> your ip number). txt entries are another type.


#14

@JuergenAuer’s suggestion would be good if you’re happy to perform some manual configuration steps every time the certificate needs to be renewed, but it would be nicer if we could automate the certificate renewal. So perhaps you could contact 1and1 and ask whether they provide an API for updating DNS records from software.

The most recent forum thread where I talked to someone about this question seems to be from March of last year and at that time we seemed to think that 1and1 did not have this option, so there wasn’t a super-straightforward way to automate renewal of Let’s Encrypt wildcard certificates while using 1and1’s DNS.


#15

What does this tell you that will help you help me? :slight_smile:


#16

Use “Add record”, there should be the version “TXT”.

Then start certbot with

certbot --manual --preferred-challenges dns -d xtremeirc.net -d *.xtremeirc.net

and create two txt entries with the name

_acme-challenge

#17

In this screen you could complete the tasks that ./certbot-auto certonly --manual -d xtremeirc.net -d '*.xtremeirc.net' --preferred-challenges dns would instruct you to perform (adding two TXT records with specified contents), which should allow it to issue the certificate that you want.

The disadvantage to proceeding this way is that automated renewal won’t be possible. You’ll have to run the same task again (and update the TXT records in your DNS configuration panel) at least every 90 days and ideally more often.


#18

I know I’m sounding bad here, guys, but please tell me what I should put in the Host Name box at the top of this form. I have the value set correctly (I hope). If I’m going to learn how to do this, I really want to make sure I’m doing the right way. But since this will be a closely repeated job, then I’m sure this is my only time to be in here. Thank you both for your patience with me.
Screenshot%20from%202019-01-05%2018-23-55


#19

Hostname: _acme-challenge

Value: The value certbot shows.

This two times.


#20

That is funny.
I didn’t realize that asking question(s) to clarify your need was in any way an obstruction.
I will gladly step aside whilst you get the help you so deserve.