Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I can login to a root shell on my machine (yes or no, or I don't know): YES
I'm using: NameCheap
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): YES
Newbie to the SSL world and could use a bit of guidance and help...
I was able to successfully create a cert for my webroot example.com and would like to use a single certificate for everything but I'm struggling with a wildcard cert, which gives another error when trying to run:
Double-check the -w folder you used is the one LiteSpeed uses for these domain names. I am guessing it is probably different than for your apex and its www subdomain you got earlier. The "404" means "Not Found". acme.sh placed the challenge token in the -w folder. But, when the Let's encrypt server asked for it your LiteSpeed said it couldn't find it.
Ideally you would not redirect the incoming HTTP challenge request to HTTPS. Just return the correct token when it arrives as HTTP. The redirect is supported just a bit extra complexity and time.
I believe I understand your response, for the Wildcard it requires the use of the DNS-01 challenge.. I don't see the use of --dns as an argument in the command.
It's the 404 error that I'm trying to resolve at the moment, just stuck on my next steps to fix it.
I presume that the SSL cert will expire in 90 days, and therefore the CRONTAB job will perform a refresh prior to expiration, is there anything I need to do on my end or is it a seamless process?
I am not an acme.sh expert but, yes, I believe that should renew your cert after 60 days. In other words, with 30 days remaining before expiry. That is the default.
You can check which certs are renewed with .../acme.sh --list
Can I ask a follow up question regarding the DNS-01 challenge... according to the challenge-types documentation, it says the following:
After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.YOUR_DOMAIN. Then Let’s Encrypt will query the DNS system for that record.>
Are they referring to the following record that I do see in my DNS?
I do not see a record that has been created with a prefix of "_acme-challenge" so I'm trying to understand how that record is created and where to glean the information so that I could create it myself.
The second question to using DNS-01 challenge is will this record need to be updated when the keys change every 90 days?
It typically is transitory, that is it is dynamically created then verified and then deleted. This preformed by the dns plugin that works with the DNS Provider’s API.
But yes it can be done manually, not a good solution for automation.
Yes, but typically every 60 days as certificate are presently intended to be renewed at two thirds of the certificate’s lifetime.
One of the DNS plugins for acme.sh will add and delete the TXT record as needed. Hopefully acme.sh has one that supports your DNS provider. It supports very many but I didn't lookup yours.
UPDATE: Oh, you have NameCheap as your DNS provider. You will need to verify with them if they support an API for updates with your type of account. I vaguely remember there are some restrictions with them.
Yes, a new TXT record value is needed for each new certificate request. This includes "renewal" requests which normally occur every 60 days.
