Self-hosted server for * wildcard domain - help how to please

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.g-wiz.org

I ran this command: I haven't yet - this is what I'm trying to figure out.

It produced this output: n/a

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04 LTS

My hosting provider, if applicable, is: Self-Hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Will be using certbot

1 Like

For a wildcard certificate, for the time being, you'll need to use the dns-01 challenge. You can read more about challenges on the Let's Encrypt documentation: https://letsencrypt.org/docs/challenge-types/

You can read more about how to operate certbot at the certbot documentation page: https://certbot.eff.org/docs/using.html

2 Likes

What DNS software/provider are you using? If using Certbot, you'll either need to use one of the DNS Plugins or somehow write your own manual auth hooks to update your DNS server with the challenge values.

2 Likes

DNS provider is Network Solutions.

Last time, a buddy and I did this we did it manually, I just don't remember how. Now I'm here to learn it.

I tried reading the documentation, and ended up confusing myself thoroughly.

I figured I'd get a bit of guidance first, and then see if my command looks correct, then give it a try. Asking questions as I go. But first just didn't know where to start (well, short of I have certbot installed and ready to go).

Thanks

2 Likes

Would my first command be something like this:

certbot run -a manual --preferred-challenges dns -d *.g-wiz.org

2 Likes

Welcome to the Let's Encrypt Community, George :slightly_smiling_face:

Try this:
certbot run --cert-name g-wiz.org -a manual --preferred-challenges dns -d "g-wiz.org,*.g-wiz.org" -i nginx

If you want to look into automation, you might consider:

2 Likes

You can also consider changing your DNS provider to one that offers an API that works with an automated Let's Encrypt client such as Certbot or acme.sh, or using an authentication subdomain via CNAME record (which is also part of a common way of using acme-dns). This is sort of in-between doing everything manually and running your own acme-dns instance.

1 Like

Thanks griffin & schoen!

I'll give the line a try, and I've already been thinking about changing DNS providers to one that is a better fit for Let's Encrypt (and me).

1 Like

Okay... Well, I kept timing out waiting for DNS records to update (now I remember what a Pain in the keister this was).

So I moved my DNS to CloudFlare. I have the API Token and made an ini file, similar to the following:

Cloudflare API token used by Certbot

dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

As per: https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials

I tried to follow along with the document (previous link), but I must still be doing things wrong.

sudo certbot certonly
--dns-cloudflare
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini
-d "g-wiz.org, *.g-wiz.org"

Gave me:

usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-cloudflare-credentials /home/xxxxxxxxxxx/.secrets/certbot/cloudflare.ini

1 Like

Firstly, never put spaces in the -d list! :slightly_smiling_face:


This could be the issue:

If you’d like to obtain a wildcard certificate from Let’s Encrypt or run certbot on a machine other than your target webserver, you can use one of Certbot’s DNS plugins.

These plugins are not included in a default Certbot installation and must be installed separately. While the DNS plugins cannot currently be used with certbot-auto, they are available in many OS package managers, as Docker images, and as snaps. Visit https://certbot.eff.org to learn the best way to use the DNS plugins on your system.

Try this:
sudo snap install certbot-dns-cloudflare


Improved certbot command:
sudo certbot run --cert-name g-wiz.org -a dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d "g-wiz.org,*.g-wiz.org" -i nginx

Thank you for the alert on the -d list and spaces. :slight_smile:

I tried the command you suggested, and it gave me a:

certbot: error: unrecognized arguments: --dns-cloudflare-credentials /home/xxxxxxxxxx/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60

Yes, the path is correct. Home directory, then subdirectory .secrets/certbot filename cloudflare.ini

And to triple-check...

sudo cat ~/.secrets/certbot/cloudflare.ini

gives me (with the actual token information changed out):

# Cloudflare API token used by Certbot
dns_cloudflare_api_token = xxx123456789abcdef123456789abcdef000

I'm going to take a read through the new page you linked to me, and see what I can learn from that... well, and get some sleep too. Thank you for your continued help and patience.

1 Like

@G-Wiz

Did you read this part? :wink:

1 Like

I guess I did miss that part. So I installed the cloudflare snap. Thank you.

However...

sudo certbot run --cert-name g-wiz.org -a dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d "g-wiz.org,*.g-wiz.org" -i nginx

still gives me that same,

certbot: error: unrecognized arguments: --dns-cloudflare-credentials /home/xxxxxxxxxx/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60

message though.

I'll do some reading later today and see if there's something else I'm missing too.

Oh, I think someone asked earlier...

sudo certbot --version
certbot 0.40.0

1 Like

So... updating certbot...

sudo apt-get update

gives me:

Ign:1 http://ppa.launchpad.net/certbot/certbot/ubuntu focal InRelease
Hit:2 http://ports.ubuntu.com/ubuntu-ports focal InRelease
Err:3 http://ppa.launchpad.net/certbot/certbot/ubuntu focal Release
404 Not Found [IP: 91.189.95.83 80]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [111 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [98.3 kB]
Get:6 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [107 kB]
Reading package lists... Done
E: The repository 'http://ppa.launchpad.net/certbot/certbot/ubuntu focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

That's new. I may need to post that one in a different thread (???) as its own issue.

1 Like

I'm pretty sure you can't combine a certbot installed through apt with a plugin installed through snap. I recommend removing certbot installed by apt.

I'm not familiair with snap, but I assume installing the CloudFlare DNS plugin through snap should have also installed the certbot snap as a dependency. If that is the case, you should be able to keep using certbot regularly even if you have removed the certbot version from apt.

The current instructions for Ubuntu 20.04 and nginx are related to snap, so if you need more info about installing certbot with snap, you can see: https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx

1 Like

Okay... Fixed SOME things, but still not my base issues.

To clear the "Release does not have a Release file" / Repository issue... I issued the following:

sudo apt-add-repository -r ppa:certbot/certbot

Then I attempted to update, and had no luck updating past the 0.40.0 version.

So I uninstalled certbot altogether (I was using the bare-metal version).

This time, I followed the instructions on the website ( https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx.html ), and just installed the dang snap for it. I had to remove and then re-install the Cloudflare plugin to accomplish this successfully, but I got it in with no errors.

Certbot is now version certbot 1.9.0

Still generating that same error message about "unrecognized arguments" when attempting to get certificates though.

1 Like

Osiris, Thank you for that additional information. I hadn't thought of that, but did run into issues that led me down the removing apt/bare metal and just installing via snaps.

Glad to know that I can still stumble along when given my own devices. :slight_smile:

Thanks again for that gem.

2 Likes

You can check if certbot recognises the plugin by running certbot plugins.

1 Like

Thanks again Osiris. It sure didn't have the cloudflare plugin installed. And when I got it installed... I think it worked. I have valid certificates now, anyhow!

But I do have one question... Is the following message normal, part of it was in red (I bolded that part):

Performing the following challenges:
dns-01 challenge for g-wiz.org
Unsafe permissions on credentials configuration file: /home/xxxxxxxxxx/.secrets/certbot/cloudflare.ini
Waiting 60 seconds for DNS changes to propagate

1 Like

No, it isn't. Normally, certbot runs as root. Sensitive information such as keys/tokens should not be accessible for other users. You should check the permissions of your cloudflare.ini file to be only readable by root or the user running certbot if it isn't root.

Altough I would assume the .secrets directory to be sufficiently restricted? Not sure what actually triggers this warning though, but if .secrets is secure, so is the content I presume:

As the legitimate user:

osiris@erazer ~ $ namei -m /home/osiris/.secrets/foo/bar
f: /home/osiris/.secrets/foo/bar
 drwxr-xr-x /
 drwxr-xr-x home
 drwxr-xr-x osiris
 drwx------ .secrets
 drwxr-xr-x foo
 -rw-r--r-- bar
osiris@erazer ~ $ 

As a "malicious" user:

postgres@erazer ~ $ namei -m /home/osiris/.secrets/foo/bar
f: /home/osiris/.secrets/foo/bar
 drwxr-xr-x /
 drwxr-xr-x home
 drwxr-xr-x osiris
 drwx------ .secrets
            foo - Permission denied
postgres@erazer ~ $ 

Hmm, it seems the code just checks for the permissions of the ini file:

And not what the actual permissions of the entire tree are. To get rid of the error, you could just remove the world permissions.

1 Like