Nginx: Wildcard certificates don't work

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jamespearson.xyz

I ran this command: certbot certonly --cert-name jamespearson.xyz -d jamespearson.xyz,.jamespearson.xyz,jamesp.org,.jamesp.org

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
3: Spin up a temporary webserver (standalone)
4: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate jamespearson.xyz to include new domain(s):
+ *.jamesp.org
+ *.jamespearson.xyz

You are also removing previously included domain(s):
- mail.jamespearson.xyz
- muc.jamesp.org
- pleroma.jamesp.org
- www.jamespearson.xyz

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate certificate/(C)ancel: U
Renewing an existing certificate for jamespearson.xyz and 3 more domains
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.22.0

Wildcard certificates require DNS-01 authentication.
Which requires the creation of a request specific TXT record (or records).

Note:

@rg305 And how do I create the TXT record(s) for DNS-01?

You must first change the requested authentication method.
When you chose the --certname jamespearson.xyz it instructed certbot to use the settings previously used to obtain that cert.
So you will have to override that previous setting with --preferred-challenges=dns
Then you can either handle those requests manually (not recommended as they can't be automated) OR use a plugin that is supported by your DNS Service Provider (DSP).
For the preferred method you need to check with your DSP to see if they support DNS updates via API.

EPIK does have an API (Epik Domain Management API -Epik) but it's unlikely there's a Certbot DNS plugin for it.

You can script the adding and removing of the TXT record through their API yourself and provide those scripts to Certbot using the --manual-auth-hook and --manual-cleanup-hook respectively.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.