Unable to request a cert in certbot

My domain is: wildcard.charbroil.com

I ran this command: certbot certonly

It produced this output: How would you like to authenticate with ACME CA? I chose 2 - Place files in webroot directory

I input my domain above. It then ask to input the webroot for the domain and I input C:\inetpub\wwwroot

Error produced:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): My server version is Windows R2 2008

The operating system my web server runs on is (include version): My OS is Windows R2 2008

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes, I can login as root shell on my machine

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I am using certbot 2.2.0

The --webroot method is an HTTP Challenge. You must have an A and/or AAAA record in your DNS so the Let's Encrypt server can find your IP. And, anyone on the public internet needs that too.

Based on the webroot folder shown (inetpub) it looks like you might be using IIS as your server. Certbot requires manual steps after getting the cert to update IIS. You might be better off using a Windows based ACME Client like Certify the Web or win-acme.


That domain name does not exist.

$ nslookup -q=any wildcard.charbroil.com ns0.dnsmadeeasy.com.
Server:         ns0.dnsmadeeasy.com.

** server can't find wildcard.charbroil.com: NXDOMAIN

Whereas the domain name charbroil.com does exist.

$ nslookup -q=any charbroil.com ns0.dnsmadeeasy.com.
Server:         ns0.dnsmadeeasy.com.

charbroil.com   text = "v=spf1 ip4: include:spf.directdevice.info include:spf.protection.outlook.com include:spf.cluster.4hr.de -all"
charbroil.com   text = "v=DMARC1; p=none; rua=mailto:email-auth@charbroil.com; ruf=mailto:email-auth@charbroil.com; fo=1"
charbroil.com   text = "ZOOM_verify_3o51LY5TT9aGWQdTig94dw"
charbroil.com   text = "_globalsign-domain-verification=tEc56l5_OJSWid37r4_1FhrRwtUa_fGn4IQIJ8MH-t"
charbroil.com   text = "jN/N5o+a8hNKqU2t2MWkYMtZbfb+oF/qRJH0ZLhsqIATodP281+WBKq9m9GRwVGmvt48LNcnj/g8ZqTNrIELBg=="
charbroil.com   text = "n4jsr5tlbmdcsi1dmc66ojj6dc"
charbroil.com   text = "dd2p58k0fp6h0hibv975jhvn3e"
charbroil.com   text = "facebook-domain-verification=ilrn2rwf8r6dwhqwbnchm1pulltbz0"
charbroil.com   text = "MS=ms29219001"
charbroil.com   text = "_globalsign-domain-verification=5gwbTrtjX4CPebqVSR8L6SpOvnf_3_6K7X0z_Izh9q"
charbroil.com   text = "j1uhh6es2v0etjh005b3muidq0"
charbroil.com   mail exchanger = 10 mxb-0030b401.gslb.pphosted.com.
charbroil.com   mail exchanger = 10 mxa-0030b401.gslb.pphosted.com.
Name:   charbroil.com
Name:   charbroil.com
Name:   charbroil.com
Name:   charbroil.com
        origin = ns0.dnsmadeeasy.com
        mail addr = abuse.wcbradley.com
        serial = 2008010825
        refresh = 43200
        retry = 3600
        expire = 1209600
        minimum = 180
charbroil.com   nameserver = ns3.dnsmadeeasy.com.
charbroil.com   nameserver = ns1.dnsmadeeasy.com.
charbroil.com   nameserver = ns0.dnsmadeeasy.com.
charbroil.com   nameserver = ns2.dnsmadeeasy.com.
charbroil.com   nameserver = ns4.dnsmadeeasy.com.
1 Like

I have to ask...
When you write "wildcard" in the name, do you want a cert with that exact name OR do you want a certificate that can cover many names (i.e. an actual "wildcard" certificate - like "*.example.com")?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.