Problem with wildcard and apache

jeanbort · March 29, 2018, 2:04pm

hello,

I have problem with cerbot when I generate a certificat to wild card domain with apache plugin :

certbot --version

certbot 0.22.2

certbot --apache -d *.my-domaine.com --server https://acme-v02.api.letsencrypt.org/

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

Can you help me ?

Best regards

jared.m · March 29, 2018, 3:10pm

The issue is exactly what the error message states - you’re using the Apache plugin, but that doesn’t work for wildcards. You need to use the dns-01 challenge type to authenticate your domain for a wildcard. How to do this varies wildly depending on how your DNS is managed - the big question is whether or not your DNS provider offers an API for updates, or if you must update the zone manually.

jeanbort · March 29, 2018, 3:28pm

Thanks for your respons. I can manage my DNS (Gandi). I test with this command :

certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.my-domain.com --manual --preferred-challenges dns-01 certonly

…
…
Failed authorization procedure. my-domain.com (dns-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.my-domain.com
…

My server is on AWS EC2.

Best regards

schoen · March 29, 2018, 3:34pm

Did the --manual command prompt you to create that TXT record at a specific moment? Did you then do that?

jeanbort · March 29, 2018, 3:51pm

Yes I add TXT record :
_acme-challenge.my_domain.com 1800 IN TXT “EpsELFDejXx…b5ToCRxYI”

schoen · March 29, 2018, 4:02pm

Could you tell us the real domain so we could check that this record is publicly visible?

schoen · March 29, 2018, 4:03pm

For example sometimes you need a trailing . on the domain name in your DNS zone in order to create _acme-challenge.my_domain.com rather than _acme.challenge.my_domain.com.my_domain.com.

system · April 28, 2018, 4:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.