Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: *.files.example.com
It produced this output: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS
My web server is (include version): minio server
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you’re using Certbot): certbot 0.40.0
I don’t believe the above is a complete discription of my issue.
I am attempting to build a 3 node, distributed minio cluster using dynamic DNS for connections incoming connsctions. For this to work I need a set of certificates for all three nodes. the problem is the nodes will be reached via their parent domain.
minio needs the nodes to connect to one another using their hostname (IE: https://node1.files.example.com:443) but clients connecting to the cluster will connect using “files.example.com” which will have all three node IPs in distributed DNS (IE depending on certain variables, users doing a DNS lookup on files.example.com will be given the IP of any one of the nodes and not necessarily the same node every time).
I really would like to have the ability to update the certificates as cleanly as possible each time. I have choices on how I can do this, but nothing painless.
if I use this command:
certbot certonly --standalone -d docs.positiveaction.net -d *.docs.positiveaction.net --staple-ocsp -m firstname.lastname@example.org --agree-tos
I get the afformentioned error.
if I use THIS command:
certbot certonly --manual -d docs.positiveaction.net -d *.docs.positiveaction.net --agree-tos
I have to place a file somewhere reachable on the server from port 80, however the server doesn’t have a standard webserver in place and installing one is inconvienant.
I would use a plugin–there is one for my DNS provider (nsone), however said plugin isn;t available for my distro and the forum post (here) refers to folders that simply don’t exist on my server (namely
~/.local/share/letsencrypt/bin/activate in either my user directory, or the root home directory) and the instructions (here) asks me to install a plugin that’s simply not avalable (namely certbot-dns-nsone)
so… what’s the cleanest way to get certs for each of my three servers, usable by both their host and their parent domains? if the nsone plugin is the best way, then how do I install it?