Want replace wildcard comodo CA by Let's Encrypt

I have a wildcard *.vocabase.com from comodo CA but I wan to replace it by a let's Encrype certificate.
Certificate is realy not my speciality and i'm very new on that.
It guess my problem is a conflict with a wildcard Comodo certificate but i don't know how to correct that.
Could you help me ?

  • My domain is: as.vocabase.com
  • I ran this command: certbot certonly --apache
  • It produced this output:

Requesting a certificate for as.vocabase.com
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: as.vocabase.com
Type: caa
Detail: CAA record for as.vocabase.com prevents issuance

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.

  • My web server is (include version): apache2

The operating system my web server runs on is (include version): debian 10

  • My hosting provider, if applicable, is: OVH

  • I can login to a root shell on my machine (yes or no, or I don't know): yes

  • I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no i'm using SSH console

  • The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

Weird. Why would your certbot output mention the standalone plugin whereas your command says it should use the apache plugin?

Only Sectigo is allowed to issue certificates for vocabase.com and its subdomains:

https://toolbox.googleapps.com/apps/dig/#CAA/vocabase.com

You can either append your DNS to include a CAA record for vocabase.com which permits issuance by letsencrypt.org (of course with a properly formatted CAA record et cetera) or you can add a CAA record permissive for issuance by letsencrypt.org for as.vocabase.com.

Note that neither the apache plugin or the standalone plugin will be able to get you a wildcard certificate. Let's Encrypt restricts wildcard certificates to the dns-01 challenge, which requires a DNS plugin (if you want to automate everything, which is highly recommended).

You're in luck, as Certbot has a DNS plugin for OVH.

4 Likes

Hello Osiris,
Thanks a lot for your answer.

Yes you are right it is not a good copy paste. here is the correct answer from cerbot . (Sorry about that)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: as.vocabase.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for as.vocabase.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

I will try to add CAA letsencrypt into OVH Dns .

f.

1 Like

Hello Osiris,
Thanks a lot you save my day :slight_smile:
It work now
f.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.