Wildcard Cert - DNS Challenges Woes

My domain is:
toastmastersclubs.org (and toastmastersdistricts.org)

I ran this command:
certbot-auto

It produced this output:
cannot produce wildcard certs that we want referenced to install docker or plugin

My web server is (include version):
Apache

Reference past related thread:

The operating system my web server runs on is (include version):
Linux

My hosting provider, if applicable, is:
AWS …

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): lastest certbot

Trying to get certbot set up to issue wildcard certs for toastmastersclubs.org and toastmastersdistricts.org along with automated renewal. Not sure how to best handle the DNS challenges… seems like we need to install a plugin… why? What is the plugin doing for us?

-Steve

2 Likes

The plugin teaches the core Certbot software how to interact with your DNS host, which is necessary in order to perform the DNS challenge.

However, there is no GoDaddy plugin for Certbot, so that’s kind of off the table.

There are alternatives to Certbot that do support GoDaddy, though. For example, it’s quite simple to do with acme.sh: https://github.com/acmesh-official/acme.sh/wiki/dnsapi#4-use-godaddycom-domain-api-to-automatically-issue-cert

2 Likes

Ok, so you are saying that we should not use certbot for wildcard certs for this use case? I am a bit surprised given how much certbot seems to be promoted in these forums and on this website.

1 Like

There are lots of ACME clients with varying strengths and weaknesses.

DNS plugins are one of Certbot’s current weaknesses, because the way they are packaged and distributed is a bit complicated.

It’s not impossible to use Certbot in this case, it’s just not straightforward. Somebody has even written a plugin for it, by the looks of it: https://github.com/Kjoep/certbot-dns-godaddy . No instructions, though.

1 Like

you can use certbot to complete the DNS challenges

I believe currently for wildcards the DNS challenge is the only one that you can use (otherwise someone with access to your website could issue email certificates etc)

Certbot does come bundled with a bunch of scripts that can do the DNS challenge. The DNS providers currently supported are here: https://certbot.eff.org/docs/using.html#dns-plugins
As mentioned if your DNS provider is not on that list then you can use a custom script hook to add a TXT record.

Certbot will provide what record to add via the plugin interface

Hope this clears things up

Personally i have been using certbot to issue wildcards with the Cloudflare plugin for some time

1 Like

To be clear, we really do not care which client we use to get the wildcard certs… I was just focused on certbot since that is what seemed to be promoted the most. However, if there is another approach that is simpler for our use case, I am interested in giving it a shot.

We just want the simplest approach that will allow us to issue the initial certs and set up the renewal scheme. We just want to essentially “set it and forget it”.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.