You re-run the command with the -d option as you show it. Otherwise, please explain what new thing needs fixing.
Oh, I thought there would be some command like:
"please add welooop.com to the certificate issued to *.welooop.com"
If this method existed, then I wouldn't worry about re-configure my load balancer in Oracle Cloud.
If the method doesn't exist, then I can certainly issued a new command:
sudo certbot certonly --manual --preferred-challenges=dns
--email welooop@welooop.com
--server https://acme-v02.api.letsencrypt.org/directory
--work-dir=. --config-dir=. --logs-dir=.
--agree-tos
-d welooop.com,*.welooop.com
Then I get a new (and second) certificate, do the validation again, upload the new certificate to Oracle Cloud, that's all fine. I just want to make sure the best way of doing it.
If I get the second certificate which covers welooop.com and *.welooop.com, what do I do with the first certificate? just let it expire?
I am new to this SSL certificate, sorry for the silly questions. Really appreciate your help!
WeLooop
Unfortunately not.
Your Certbot should recognise the already existing certificate for welooop.com
and ask you if you'd want to update the existing certificate by adding the wildcard hostname. If it doesn't, you can use --cert-name
to "overwrite" the already existing certificate.
When modifying an existing certificate, you always get a brand new certificate. So one way or another, you're always required to upload the new certificate to Oracle Cloud. The cert already existing in Oracle Cloud cannot be updated magically somehow, that requires re-uploading a (new and updated) cert.
Thank you! Thank you!! Let me try and I will report back to you soon.
Keep in mind the certs expire in 90 days and Let's Encrypt recommend renewing 30 days before expiry. So, you'll need to repeat this every 60 days or so.
Some method other than --manual
is best to automate renewals. If you can't automate with your DNS provider you could switch to one that supports an API for that.
And, yes, you just let old certs expire.
It's also possible to add a CNAME for _acme-challenge
pointing to a hostname with a different domain which is hosted on a DNS provider with easy automation (e.g. acme-dns
) or even an NS record pointing e.g. to Cloudflare. You'd need to add your domain to Cloudflare too, but wouldn't necessarily switch entirely. Just add the domain to Cloudflare, authenticate it somehow (dunno what CF requires for that exactly) and not use Cloudflares nameservers for the entire domain (i.e.: don't add the CF nameservers to the "upstream" TLD nameservers), but only use the CF nameservers for the _acme-challenge
subdomain in NS records.
That said, if Oracle Cloud doesn't offer any automated way to update the certificate, the entire process wouldn't be automatable anyway..
Wow, Yahoooooo... It worked! But let me document what happened, then followed by new questions.
I issued:
sudo certbot certonly --manual --preferred-challenges=dns \
--email welooop@welooop.com
--server https://acme-v02.api.letsencrypt.org/directory
--work-dir=. --config-dir=. --logs-dir=.
--agree-tos
-d welooop.com,*.welooop.com
I got:
Saving debug log to /home/ubuntu/archive/welooop.com/letsencrypt.log
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for welooop.com and *.welooop.com
Please deploy a DNS TXT record under the name:
_acme-challenge.welooop.com.
with the following value:
UVXbHCjJGno7wsV9hP9P...Rs0gZZvHc
Press Enter to Continue
So I went to my Domain Admin -- "Google Domains". Two things here:
(1) record name: it says: "_acme-challenge.welooop.com." The ending period "." should not be there, otherwise Google Domains says "invalid"
(2) the record name I typed into Google Domains should be "_acme-challenge", if I copy and paste "_acme-challenge.welooop.com" it will become "_acme-challenge.welooop.com.welooop.com".
I found those two things out yesterday, OK move on.
I couldn't save 2 records with the same record name, so before I saved the new one, I deleted the old one yesterday which was for verifying "*.welooop.com", but when I enter to continue, I got:
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: Dig (DNS lookup).
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
Duh, why didn't you say so in the first place? But anyway I couldn't save 2 records with the same name. Apparently it failed.
Then it failed one more time, it succeeded on the third try. Then I uploaded the certificate to Oracle Cloud... from there it worked like a charm...
Thank you a million!
I will have a question shortly...
Regarding auto renewal:
On the Let's Encrypt side, the command I used is with "--manual", would it be automatic if I omitted "--manual"? or is there another switch "--automatic"?
If the answer is no, is the link (using cron job) below a good way to renew?
You have a great point that if Oracle Cloud doesn't supply a way, then the whole thing wouldn't be automatic. I don't know that answer, I will check with Oracle Cloud.
Thank you for your answer!!!
Can't you place two values for that same TXT record ? I don't use Google Domains myself but I'm pretty sure you can.
It worked after several tries because authentications for a domain for a specific requesting account are cached for 30 days. So, one of your earlier tries was successful for just one and a later try for the other.
No, the whole thing wouldn't be automatic w/out Oracle Cloud interaction but automating the cert renewal without manually updating TXT records has value.
Good point, I didn't realize that, I will try next time
Nope. Certbot wouldn't know how to re-do the challenges, which is required for renewing. So nothing automatic unless you actually instruct Certbot with something which is actually automatable. And the dns-01
challenge is relatively hard to automate, as not every DNS provider has an API to automate the adding and removing of the token.
Which begs the question: do you actually need the wildcard?
No, the manual
plugin cannot use the certbot renew
function as that would require Certbot to run without user input, while the manual
plugin (without hooks) requires user input.. So those two are mutually exclusive.
Yes, absolutely, so next time I issue the same cmd without "--manual" switch?
What I meant was after today's manual certificate expires, I will get a new certificate, using the cmd I used today but without "--manual" switch, then use the cron job mentioned in the link to renew? Even though it is called "renewal", it is actually a new certificate, then there is a need to upload (or so called "update") to Oracle, am I thinking it the right way?
That's not possible. When using --manual (without hooks)
, the only way to "renew" the certificate is by running the exact same command, with --manual
, again.
This part you're correct.
This is the section of Certbot docs related to DNS plug-ins
Each plug-in has further instructions in its config and certbot commands
https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins
But, as Osiris noted, if you don't need a wildcard you could use the HTTP Challenge instead (probably). This is usually easier. The HTTP Challenge requires port 80 to be available to a webserver which you don't have at the moment (your port 80 looks blocked by a firewall or something). Without wildcard you just list the specific domain names you need with the -d
option
Thank you both very much for your valuable info!
I still need time to digest everything you said, let me ask a question from a different angle:
Suppose I haven't issued any commands yet, I will do it for the very first time, what would the command look like if I want the certificate has the potentials of easy and automatic renewal? Assuming I have a Ubuntu machine fully under my control.
The whole thing looks pretty complicated, I wonder if you have tutorial videos with full syntax explained?
Many things are still confusing, e.g.
I know I got a valid certificate, and I uploaded to Oracle, and it is working... but, when I do:
root@certbot:/home/ubuntu# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificates found.
it says "No certificates found."?
Is that where you ran Certbot when you got the certs?
Because that is odd it wouldn't show any after getting one.
If same machine are you running in any kind of container?
That depends ... do you need a wildcard? Because then auto-renew requires some way to auto-update DNS. Either with a plug-in or a script as --manual-auth-hook
If you don't need a wildcard what kind of web server are you running?