Problem with wildcard and apache


#1

hello,

I have problem with cerbot when I generate a certificat to wild card domain with apache plugin :

certbot --version

certbot 0.22.2

certbot --apache -d *.my-domaine.com --server https://acme-v02.api.letsencrypt.org/

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

Can you help me ?

Best regards


#2

The issue is exactly what the error message states - you’re using the Apache plugin, but that doesn’t work for wildcards. You need to use the dns-01 challenge type to authenticate your domain for a wildcard. How to do this varies wildly depending on how your DNS is managed - the big question is whether or not your DNS provider offers an API for updates, or if you must update the zone manually.


#3

Thanks for your respons. I can manage my DNS (Gandi). I test with this command :

certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.my-domain.com --manual --preferred-challenges dns-01 certonly



Failed authorization procedure. my-domain.com (dns-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.my-domain.com

My server is on AWS EC2.

Best regards


#4

Did the --manual command prompt you to create that TXT record at a specific moment? Did you then do that?


#5

Yes I add TXT record :
_acme-challenge.my_domain.com 1800 IN TXT “EpsELFDejXx…b5ToCRxYI”


#6

Could you tell us the real domain so we could check that this record is publicly visible?


#7

For example sometimes you need a trailing . on the domain name in your DNS zone in order to create _acme-challenge.my_domain.com rather than _acme.challenge.my_domain.com.my_domain.com.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.