Use multiple authenticators possible


#1

We have several domains, some we want to authenticate via webroot plugin (HTTP challenge) and some via google dns plugin (dns challenge). As we have this in an automated process with ansible, we’d like to have this in one command, where Certbot first tries the HTTP challenge and if that fails tries the DNS challenge. Is that possible?


#2

You can’t do this in the ACME protocol - failing an authorization kills the entire certificate order.

Edit: I suppose you could run a second certificate order when the first one fails, but keep in mind:

There is a Failed Validation limit of 5 failures per account, per hostname, per hour

It doesn’t seem like a good idea. Best to figure out ahead of time which validation is going to succeed, and use it. Many environments do such pre-flight checks before sending orders to Let’s Encrypt.


#3

@_az So I have to split it in two commands, the first trying HTTP and if that fails try DNS instead. Meaning I can’t mix wildcard domains with domains I don’t have DNS access to.

Thanks for the reply.


#4

Let’s Encrypt lets you validate different names using different methods when they’re part of the same order.

Certbot is less flexible. I believe it supports different validation methods as part of one certificate request, but it allows a request to use only one plugin. Since the webroot plugin only supports HTTP-01 and the DNS plugins only support DNS-01, your situation can’t take advantage of it. :slightly_frowning_face:

Other ACME clients may be more flexible. acme.sh, for one, supports using different plugins in one certificate.

It’s up to you to pick which option is the least of a hassle. :sweat:


#5

@mnordhoff Thank you very much, for the deeper explanation especially the difference between validators/authenticators and plugins, that wasn’t quite clear for me.

Thank you also for the hint about acme.sh and its hybrid mode, that is actually that I was looking for. I’ve though to discuss this in our team.


#6

@_az Good point with the limit. A flag would well be the better idea, to choose which challenge to use, yes.