I need certificate for domain.tld and *.domain.tld so i use dns and manual method for change dns variable it’s tested with last pebble v2.2.2 version and certbot 0.40.1
I run simple pebble server and fake dns server to test and run this command and certbot work well:
REQUESTS_CA_BUNDLE=/app/app/3rd/pebble/chain.pem certbot certonly --manual --preferred-challenges dns --email samplemail@gmail.com --agree-tos -d '*.google.tld' -n --manual-auth-hook='/app/app/app certbot:auth-hook' --manual-cleanup-hook='/app/app/app certbot:cleanup-hook' --manual-public-ip-logging-ok --server https://127.0.0.1:14000/dir
Output
aving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for google.tld
Running manual-auth-hook command: /app/app/app certbot:auth-hook
Output from manual-auth-hook command app:
google.tld
CEFikYe6IB6-RxjrZUF-sgOFChzDgoqywLGIFtwAad4
2019-11-22T12:16:10.857Z
CEFikYe6IB6-RxjrZUF-sgOFChzDgoqywLGIFtwAad4
Waiting for verification...
Cleaning up challenges
Running manual-cleanup-hook command: /app/app/app certbot:cleanup-hook
Output from manual-cleanup-hook command app:
undefined
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/google.tld/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/google.tld/privkey.pem
Your cert will expire on 2024-11-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
And result:
cfssl certinfo -cert /etc/letsencrypt/live/google.tld/cert.pem
{
"subject": {
"common_name": "*.google.tld",
"names": [
"*.google.tld"
]
},
"issuer": {
"common_name": "Pebble Intermediate CA 18c1c7",
"names": [
"Pebble Intermediate CA 18c1c7"
]
},
"serial_number": "8140426274814243292",
"sans": [
"*.google.tld"
],
"not_before": "2019-11-22T12:16:17Z",
"not_after": "2024-11-22T12:16:17Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "",
"subject_key_id": "",
"pem": "-----BEGIN CERTIFICATE-----\nMIIDGTCCAgGgAwIBAgIIcPiakS6PMdwwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UE\nAxMdUGViYmxlIEludGVybWVkaWF0ZSBDQSAxOGMxYzcwHhcNMTkxMTIyMTIxNjE3\nWhcNMjQxMTIyMTIxNjE3WjAXMRUwEwYDVQQDDAwqLmdvb2dsZS50bGQwggEiMA0G\nCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4XGH8rnybiT15eMjGkK7HIs5fT808\naPGKOvQU8kLTg3s1OHYC+wVsl0mfnvHrWI3T8c8NX1dpzMPV3ARpgZlGObPGzqbh\nGerHzgB9dz3KlFvh8f2i3LA8BvjlV0tWac9RycDBOLfaLwh5X4UA4NdMTSYUutv3\nAjkkU0EUOnrKhtmKoSTyivGVbbFM/VvD+gkVezeqvFUHs1WrMKdvqwFdo7G/PndD\nnVFSYv8W3SVRuFo5dDirRPON++8B8dwjnMVkj82YOlxOtnNrzUQawKVqnPwPwaHn\n738Ao+E8j6IQRaCaMST2m534SqLlhauO8DOchv/qHxKZZSq9Kty+2HRVAgMBAAGj\nWDBWMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH\nAwIwDAYDVR0TAQH/BAIwADAXBgNVHREEEDAOggwqLmdvb2dsZS50bGQwDQYJKoZI\nhvcNAQELBQADggEBABQxslOVSamnBWiuZlrvnkAgsghLI/8yCQAAMiW6jA4N2UFz\nm8HKAXen1tNsCm2HQ5Y5l0E7c5GcM/s0LDqYlOfMBz0VamQ7FEy6niVJtMDPa5S2\n37atBbak4Jr5g4JEhUjxYhFtXe9Lm2ILnbMuv8DfX8mH9kkAvOA+fkyZ1Zp6zCbz\n4qfQas21zRTKDHJqpHWQx5UjEk4A8o0K/W+LQdTuutGG9TyudIPIdZdbM76uLj4f\nC2z/fsFy+g0asmn9QTzuJ9eGKkFZh3y6zlWeCM9BcAovOkkuhxRpWN4tFq+aVKAb\nDTl7WamDnkBIvuKWNRBgh4B8XIoAzX8MK/IwGlw=\n-----END CERTIFICATE-----\n"
}
After add exactly same domain to generate wildcard. problem accured. Seems be hooks run twice:
REQUESTS_CA_BUNDLE=/app/app/3rd/pebble/chain.pem certbot certonly --manual --preferred-challenges dns --email samplemail@gmail.com --agree-tos -d 'google.tld,*.google.tld' -n --manual-auth-hook='/app/app/app certbot:auth-hook' --manual-cleanup-hook='/app/app/app certbot:cleanup-hook' --manual-public-ip-logging-ok --server https://127.0.0.1:14000/dir
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for google.tld
dns-01 challenge for google.tld
Running manual-auth-hook command: /app/app/app certbot:auth-hook
Output from manual-auth-hook command app:
google.tld
CTekG-zg_c2xWZDYr27-bASvB2VaWo9xtZuTCNpl5PU
2019-11-22T12:19:21.929Z
CTekG-zg_c2xWZDYr27-bASvB2VaWo9xtZuTCNpl5PU
Running manual-auth-hook command: /app/app/app certbot:auth-hook
Output from manual-auth-hook command app:
google.tld
CJk_h5kzt1XExBgnMF6ut9gheRAluvgF_JrAoabOWBk
2019-11-22T12:19:23.233Z
CJk_h5kzt1XExBgnMF6ut9gheRAluvgF_JrAoabOWBk
Waiting for verification...
Challenge failed for domain google.tld
dns-01 challenge for google.tld
Cleaning up challenges
Running manual-cleanup-hook command: /app/app/app certbot:cleanup-hook
Output from manual-cleanup-hook command app:
undefined
Running manual-cleanup-hook command: /app/app/app certbot:cleanup-hook
Output from manual-cleanup-hook command app:
undefined
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: google.tld
Type: unauthorized
Detail: Correct value not found for DNS challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
And as you can see challange faild on multi domain.