I would like to replace all of them with just 1 wildcard certificate. If I had known how things would develop I would have begun with a wildcard, but my crystal ball was cloudy. I run Postfix/Dovecote, Nextcloud and a Wordpress website on my home server. I will be going to multisite with the Wordpress instance and adding several subdomains to orchardmusic. Hence the need to clean things up for now and future.
As everything is currently working I don't want to break it by basically blundering, so can anyone offer clear and concise (even step by step) guidance?
I've used Certbot in standalone certificate only mode so far, after a 'messed up through ignorance' first adventure using the nginx plugin. But happy to learn a new trick or two if that's required. Thanks in advance.
A wildcard requires a DNS Challenge. These are generally harder to setup than HTTP Challenges.
There are many ways to do this but the easiest is for your DNS provider to support an API to add/delete the TXT record used to validate your domain. And, have that provider API supported by your chosen ACME Client (Cloudflare is popular and Certbot supports it)
I don't recognize your DNS provider so not sure if they have an API. But, you could use a Certbot pre and post hook and write your own script to add/delete the TXT records if they do.
You could use --manual method with --preferred-challenge dns-01 but then you'd have to repeat that every 60 days. Not recommended as people usually get tired of that or forget.
Thanks very much Mike - yes can do the TXT record in DNS so that form of challenge is fine.
I was wondering about the existing 3 certificates I have in place - should I revoke and delete them first?
Also I've seen some references to whether one should go for *.example.com or *example.com or indeed both? So much conflicting info around and if one doesn't know then it's hard to tell the informed info from the .... not.
Basically really don't want to end up with a brick instead of a working server!
*example.com is not a valid DNS name and Let's Encrypt (and hopefully your ACME client before even making the request) would reject the request as malformed. A wildcard certificate will always have a name like *.example.com. The wildcard character * takes the place of all possible subdomains, not all possible arbitrary prefixes, so the dot is real and required.
Succeeded in creating the TXT entry (easy) but propagation is seeming very slow. It's coming up for 24 hours and still not showing deployed in DNS search results. The Certbot (manual) process timed out waiting so am hopeful that the challenge code is in some way derived from my supplied data (and will therefore) be the same when I try again - assuming the TXT entry (_acme-challenge.orchardmusic.com) ever does propagate!
You likely did not update the correct place. Because usually the authoritive DNS servers will sync within 1-5 minutes (the best less than 1 minute). The longest I have seen has only been an hour or two (badly behaved servers).
I don't see any TXT records at your authoritive servers
Well yes indeed, that's what I wondered, but in the UK2net DNS management panel it does look correct - the other 4 TXT entries do show up if I search DNSchecker.org - here's a screenshot of the section in the DNS management screen (I've inked over most of the actual data as I guess that's wise)
Hmmm. I can see an A record for the _acme-challenge subdomain but not that TXT record
You don't need an A record for that sub, maybe that is somehow interfering with uk2net?
dig +noall +answer A _acme-challenge.orchardmusic.com
_acme-challenge.orchardmusic.com. 277 IN A 217.155.63.213
dig +noall +answer TXT _acme-challenge.orchardmusic.com
Ah, yes, I see that wildcard A record now. My bad.
You should not have to delete that wildcard. But, maybe uk2net is not handling the TXT right because of it. If you can remove it as a test that would rule it out.
And, when you use something like dnschecker you need to use _acme-challenge.orchardmusic.com when testing for that TXT record. Just checking the root name shows just the TXT at the root level.
Might be nothing but I notice that what I copied and pasted out of the Terminal window does have a . after the com at the end? Rather than just ending with the m of com?
So have deleted the . and I do believe we have propagation and deployment... why would they put a . on the end in the Certbot output...
Yeah, that seemed to fix it. Good catch. I see the _acme-challenge TXT record now
A period at the end is the proper way of indicating domain names. It marks the root domain. If you omit it some systems might add more onto that. (see wiki). Many places it doesn't matter so it is common to not see it. Just one of those quirks.
It seems on your panel entry the period confused it. On mine it discards any stray extra period
When you do the next certbot cert request you will be given a different TXT value. And, you should delete values used previously. If you don't eventually the record length gets too large and LE will reject it. Once you receive the cert the TXT record value is not needed.
Success - many thanks to all for your help - a help forum that actually 'helps'... it might just catch on!
As I have a folder in the path already called orchardmusic.com it has created the new certificate in folder with appended 001 as per the Certbot output below, which is fine as I can redirect my various processes that need the certificate as I go along and revert easily if something goes amiss - great help folks, excellent. Certbot output:
Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/orchardmusic.com-0001/fullchain.pem Key is saved at: /etc/letsencrypt/live/orchardmusic.com-0001/privkey.pem
A different cert folder is expected since you changed the domain names within the cert.
But, I think you have more work to do yet. Your latest cert only has the wildcard name in it and not the root name itself. It won't work for requests using just the root name.
Let's review your certificate profiles by showing us this
Ah yes, in the original one I did have the root too - so perhaps I should go for one more for *.orchardmusic.com and justorchardmusic.com then? See below.
Have successfully pointed everything at the new wildcard certificate btw and all works
