I want to make my ssl certificate wilcard certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: atzcart.in

I ran this command: certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.atzcart.in --manual --preferred-challenges dns-01 certonly

It produced this output: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

Hi @Siddhant

you have already created a wildcard certificate and some other certificates ( https://check-your-website.server-daten.de/?q=atzcart.in#ct-logs ):

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
987594734 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-26 12:04:42 2019-09-24 12:04:42 atzcart.in - 1 entries duplicate nr. 4
987517347 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-26 11:32:29 2019-09-24 11:32:29 atzcart.in - 1 entries duplicate nr. 3
987217405 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-26 07:45:50 2019-09-24 07:45:50 atzcart.in - 1 entries duplicate nr. 2
987056154 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-26 05:33:58 2019-09-24 05:33:58 *.atzcart.in - 1 entries duplicate nr. 1
987048822 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-26 05:27:02 2019-09-24 05:27:02 atzcart.in - 1 entries duplicate nr. 1

But you use one of the non-wildcard certificates:

CN=atzcart.in
	26.06.2019
	24.09.2019
expires in 90 days	atzcart.in - 1 entry

The wildcard certificate doesn't work with the main domain, so you need one certificate with both domain names.

So use

certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.atzcart.in -d atzcart.in --manual certonly

You can remove the preferred-challenges parameter, because a wildcard certificate requires dns-01 validation.

Then you have to create two dns TXT entries with the same name

_acme-challenge.atzcart.in

and different values.

1 Like

Thank You so much JuergenAuer for replying
I just used ```certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.atzcart.in -d atzcart.in --manual certonly

above command but i got result like this ---

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: atzcart.in
   Type:   unauthorized
   Detail: Incorrect TXT record
   "Zwh-X_1AH5fbXIVylTrWSocJfNru0tVyGgF4i2ZKsqk" found at
   _acme-challenge.atzcart.in

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
----------------------------------------------------------------------------------------------------------------------------

note -- Actually I am having sub-domains m.atzcart.in seller.atzcart.in that I want to make secure that is why I want wild card certificate
1 Like

That's

your old value, the one hour old check has the same value ( https://check-your-website.server-daten.de/?q=atzcart.in#txt ):

12. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
atzcart.in ok 1 0
www.atzcart.in 1 0
_acme-challenge.atzcart.in Zwh-X_1AH5fbXIVylTrWSocJfNru0tVyGgF4i2ZKsqk looks good 1 0

If you use --manual, Certbot should show one or two new values you have to add in your dns setup.

now what should i do please direct me

Start the same command and read the output. Looks like you have confirmed too quickly. You have to create a new DNS TXT entry.

I already gave my output –
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: atzcart.in
    Type: unauthorized
    Detail: Incorrect TXT record
    “Zwh-X_1AH5fbXIVylTrWSocJfNru0tVyGgF4i2ZKsqk” found at
    _acme-challenge.atzcart.in

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.


please provide the command that how to add txt record in terminal…
i already added txt record in aws route 53 service


PELA

1 Like

You have to do that again.

Same command -> new value -> txt record in your aws route 53.

PS: And the new value must be visible online. But as written there - I want to make my ssl certificate wilcard certificate

Online I see your old value.

Change the TXT entry. Then use the online tool to check, if the new value is visible.

Juergen, I kind of faced problem with ‘Incorrect TXT record’ rather often, so I feel Siddhant’s pain.

I have a couple of wild card certs (may need more), and every time I need to renew them it is a pain. The main issue is with gandi.net being slow, unpredictable with when they will propagate changes, plus not propagating them to all name servers at the same time. So, I need to actually monitor all ns servers to see that they have new values. Still, I think that the last time, I saw the new value being propagated, but the procedure still failed that challenge string (maybe I was just exhausted monitoring those ns servers). The problem that makes this process worst is that certbot can run only one instance at a time, as such I need to serialize (wait for every new propagation before moving on to the next challenge/cert) that job.

To help people like Siddhant (and of course myself), I would like to request a new feature for wildcard renewals. I would like to be able to pre-run certbot to just get challenge strings for all domains/certs. This would allow me to feed my DNSes with all strings at once with no pressure of triggering any timeouts, or hitting the ‘yes’ prematurely. Later on (say in an hour or two), I would run certbot as normal; however, expecting it to recognize strings that were generated earlier. If such feature would be implemented, the second issue (one certbot instance at a time) would be rather irrelevant, as no waiting for DNS propagation would be needed.

Thank you, Jacek

Route 53 deploys changes quickly, and has an API to check whether a change has been deployed to all PoPs. It shouldn’t be a major issue for Route 53 users.

There’s also a Route 53 plugin for Certbot, which can be easily installed on some OSes.

How Route 53 relates to gandi.net?

Also, how your comment helps Siddhant? Care to provide some links for him to read?

Juergen, one more request. Would it be possible to add some links with basic explanations of errors mentioned to “6. Comments” of your check-your-website.server-daten.de tool? I see for my domain something like “more then one version with Http-Status 200” or 'no preferred version www or non-www", but have no clue how to bite it.

Actually, in the section “12. TXT - Entries” there are errors like “Name Error - The domain name does not exist;” however, those are highlighted in green. Should those be in red, or those are rather tricky answers?

_jacek …thanks for understanding my pain …now I am looking for another ssl certificate provider …
becouse If use below command to attached same certificate for my subdomain it removes previous ssl cert with exesting domain –

certbot --expand -d m.atzcart.in …

Even though, it is a bit painful process, I would really encourage you to stick with Letsencrypt. Once you get your questions out, you will always get friendly help. As I mentioned in the other thread, every time I need to renew, I sweat bullets, but it is quickly over.

_jacek I have already crossed my certs limits …now it is giving error that limit exceeded for this domain

1 Like

Siddhant, there is nothing special about limits, we set them, as such we can remove them. I am sure Juergen can help you with it.

Yeah, when you use --expand, you still have to list every name you want the new certificate to include.

bro now i use this command - certbot --expand -d m.atzcart.in -d seller.atzcart.in but
previous certificate got removed from www.atzcart.in and atzcart.in please help me …logically i am not getting what to do !
Screenshot_1|690x358

1 Like

Yes, that's how the --expand command works. If you want those names on it too, the command would be certbot --expand -d m.atzcart.in -d seller.atzcart.in -d www.atzcart.in -d atzcart.in. This isn't very intuitive, but it is pretty clearly explained in the documentation.