Renewal of Wildcard SSL (Resolved)

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory \
--preferred-challenges dns \
--manual -d example.com -d "*.example.com"

Do I need to manually verify every 90 days or it is just one time?
Thanks

Yes, you will be required to perform the validation process again at every renewal. For this reason, it should be automated via your DNS hosting provider.

1 Like

Google Domains is not supported. Bummer.

You can maybe use acme-dns. https://github.com/joohoi/acme-dns

I tried DNS method for wildcard, added TXT record as well. Next it asked adding some file inside .well-known/acme-challenge, I did.

Next it ask keeping IP pointed. This is something I cannot. I need to keep SSL for offline use.

I don’t want to use other form of SSL because it will expose “subdomain” at crt.sh website

so I have few choices here

  • Use OpenSSL instead or go for Paid SSL for green lock.

Thanks

Wildcard certs can only be validated via DNS.
I don’t understand why it would ask you to put something in the web path (/.well-known/acme-challenge/)

Also HTTP and HTTPS are two separate ports.
You could keep HTTPS for office use and allow HTTP for cert validations (redirecting all other HTTP connections to HTTPS)

Got it. I noticed, I forgot to add --preferred-challenges that caused issue I feel.

root@host:~# certbot certonly --manual -d example.com -d *.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
http-01 challenge for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

-yYn-wLAwMW14aS0rhrxXn3EjbYfBokJQXuyRSgzuOo

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

aTGWnqBCArqaS536B9Wk8xo6PGKxerf6i30MJJmDb00.JUBK9oJLRIsOE6YFoZUihowwlA4V830QbboK7XGlkuY

And make it available on your web server at this URL:

http://example.com/.well-known/acme-challenge/aTGWnqBCArqaS536B9Wk8xo6PGKxerf6i30MJJmDb00

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain example.com
http-01 challenge for example.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   "aTGWnqBCArqaS536B9Wk8xo6PGKxerf6i30MJJmDb00.JUBK9oJLRIsOE6YFoZUihowwlA4V830QbboK7XGlkuY"
   !=
   "veh5-vybuWyVS8BggLOZX-DLkZ3nnkNq8OHYI68i57U.4KpNPbLLLeV75JDuu6NLzu6ETQE22q2COCYj6iULlyk"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
root@host:~#

PS. I am not interested in pointing example.com to A record host IP even for few second. All I am trying is to get SSL completely over TXT record.

I will try again

You need to update the TXT record every time you run certbot.
You should also pause and check that global DNS systems can see your update before proceeding.

Count your tries - there are limits.
OR switch to the staging/testing environment until you get the process down correctly.

1 Like

While Google Domains doesn’t provide an automation API, Google Cloud DNS does.

But more generally, there are a number of free quality DNS hosting providers that you could choose from, where Let’s Encrypt client integrations already exist. Of course it’s kind of annoying to switch DNS hosting just for the sake of automating your SSL, but the option is there.

1 Like

Thanks everyone, the process was simple than I thought.

It just took one TXT record verification.

root@host:~# certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain example.com
dns-01 challenge for example.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   dns
   Detail: During secondary validation: DNS problem: NXDOMAIN looking
   up TXT for _acme-challenge.example.com - check that a DNS
   record exists for this domain
root@anonymous:~# certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Yes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-11-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@host:~#

Thanks again!

Good list. Thanks for sharing!

I was using Cloudflare earlier, things was quite easier for me.

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01

But I switched to Google Domains for three things

  • Free E-mail forwarding
  • Free hostname forwarding
  • 24*7 live chat support, great UI

A bit extra efforts here, but glad, this is all set now. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.