Wildcard certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: yahsglobalkingdom.org and yeshurunfarm.com

I ran this command: sudo certbot certonly --manual -d *.yeshurunfarm.com -d yeshurunfarm.com -d *.yahsglobalkingdom.org -d yahsglobalkingdom.org --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01

It produced this output: it wants me to produce _acme-challenge.www for both domains.

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2024-07-17T18:58:09

The operating system my web server runs on is (include version):
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

I current have certs for both webservers www.yeshurunfarm.com and www.yahsglobalkingdom.org on the same server. I am trying to do a wildcard that includes both domains or two separate wildcards for each domain. The issue I am having is the request is also trying to validate the DNS for www records which I am trying to include in the wildcard so I can cancel the other two certificates. Can I make it exclude those certs until I have succesfully gotten the wildcard certificate and tested it, then I can cancel the other two certs?

Miles

Please provide the exact output of Certbot.

Note that sometimes the Linux terminal will expand the asterisk (*) into literal values if filenames are present in the current working directory.

But please provide the exact output, as I'm not really following your explanation to be honest.

2 Likes

Hi Osiris,
Here is the output.

Please see the logfiles in /var/log/letsencrypt for more details.
root@www:/etc/letsencrypt/live# sudo certbot certonly --manual -d *.yeshurunfarm.com -d yeshurunfarm.com -d *.yahsglobalkingdom.org -d yahsglobalkingdom.org --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/www.yahsglobalkingdom.org.conf)

It contains these names: www.yahsglobalkingdom.org

You requested these names for the new certificate: www.yeshurunfarm.com,
yeshurunfarm.com, www.yahsglobalkingdom.org, yahsglobalkingdom.org.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for www.yahsglobalkingdom.org
dns-01 challenge for www.yeshurunfarm.com
dns-01 challenge for yahsglobalkingdom.org


Please deploy a DNS TXT record under the name
_acme-challenge.www.yahsglobalkingdom.org with the following value:

x4wyGmIuVzJ-e3aa00_joZksiPQ24BOoH_nqk_g0JmE

Before continuing, verify the record is deployed.


Press Enter to Continue


Please deploy a DNS TXT record under the name
_acme-challenge.www.yeshurunfarm.com with the following value:

y9DKREr8k-dAku18CaskWIPczdTTACF24wXUpwsroS8

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)


Press Enter to Continue


Please deploy a DNS TXT record under the name
_acme-challenge.yahsglobalkingdom.org with the following value:

aDMDwwwMQC1yw9HsLGw1TMZQlzbEr1X8w0Fr3dcrXXU

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)


Press Enter to Continue^CCleaning up challenges

Perhaps, I should just ask for a new certificate?

Yeah looks like bash expansion to me. Try it with quotes (') around the hostnames so it prevents the shell expansion.

1 Like

OK will try that!

like this? sudo certbot certonly --manual -d '*.yeshurunfarm.com' -d 'yeshurunfarm.com' -d '*.yahsglobalkingdom.org' -d 'yahsglobalkingdom.org' --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01

1 Like

Yes, like that. It should prevent any accidental expansion of the * into www.

By the way, your command uses some very ancient and incorrect options, like --no-bootstrap, which is a relic from the certbot-auto wrapper script. Also, --manual-public-ip-logging-ok has been removed in modern versions of Certbot and is only used once when registering an ACME account.

2 Likes

thanks will let you know.

Also note that using --manual without hooks prevents Certbot from automatically renewing the certificate, so you need to run this command to renew every 60 days.

Better options would be to run your own instance of acme-dns (server) so the dns-01 challenge can be automated. acme-dns-client is an example of a client which can work with Certbot as the client part of acme-dns.

2 Likes

A couple of questions?
1 What hooks could I use to enable it to auto renew?
2. The acme API solution I have two webservers both hosting two domains, would I need this solution on both servers or can one server host all domains?
3.

1 Like

That depends on what your DNS service provider offers as ways to automate adding and removing of RR using some kind of API. Some ACME clients like lego (and thus also Certbot using certbot-dns-multi or acme.sh have many integrations for many DNS providers.

You mean acme-dns? Only one instance of acme-dns will suffice. You'd use CNAME records in the DNS zone of the domains you want to get a certificate for to redirect the request to the acme-dns instance.

1 Like

Ok, I believed when I checked before there were not web-hooks for Network Solutions.

There still might not be. But setting up acme-dns just involves setting up a CNAME in your DNS to the acme-dns instance on your server.

An easier option, if possible, is to change your DNS Provider at your registrar to one that has an API supported by your preferred ACME Client for DNS Challenges.

2 Likes

Cloudflare is free, works pretty well and there is an official Certbot plugin for it.

2 Likes

I will consider it. I have to start over. I request a wildcard for glorytoyah.org yesterday and everything appeared to work. Only to find out the certificate chain is corrupted. It issued the certificates but they are not usable. Luckily the system is using the subdomain certs to continue to operate.

Probably not that. If you show output of below command and describe the symptom we can probably guide you to correct solution.

sudo certbot certificates
1 Like

root@meetings:/etc/letsencrypt/live/glorytoyah.org-0001# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: glorytoyah.org-0001
Domains: *.glorytoyah.org glorytoyah.org
Expiry Date: 2025-04-03 16:57:29+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/glorytoyah.org-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/glorytoyah.org-0001/privkey.pem

Certificate Name: meetings.glorytoyah.org
Domains: meetings.glorytoyah.org
Expiry Date: 2025-02-05 16:25:03+00:00 (VALID: 31 days)
Certificate Path: /etc/letsencrypt/live/meetings.glorytoyah.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/meetings.glorytoyah.org/privkey.pem


root@meetings:/etc/letsencrypt/live/glorytoyah.org-0001#

root@meetings:/etc/letsencrypt/live/glorytoyah.org-0001#

sudo openssl verify -CAfile /etc/letsencrypt/live/glorytoyah.org-0001/chain.pem /etc/letsencrypt/live/glorytoyah.org-0001/fullchain.pem
C = US, O = Let's Encrypt, CN = R11
**error 2 at 1 depth lookup: unable to get issuer certificate**
**error /etc/letsencrypt/live/glorytoyah.org-0001/fullchain.pem: verification failed**
root@meetings:/etc/letsencrypt/live/glorytoyah.org-0001#

Test connection

root@meetings:/etc/letsencrypt/live/glorytoyah.org-0001# openssl s_client -connect localhost:587 -starttls smtp 
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = US, O = Let's Encrypt, CN = R11
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.glorytoyah.org
verify return:1
---
Certificate chain
 0 s:CN = *.glorytoyah.org
   i:C = US, O = Let's Encrypt, CN = R11
 1 s:C = US, O = Let's Encrypt, CN = R11
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFATCCA+mgAwIBAgISA/sXxMBz8qwcKogl2Z/7z1XFMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTEwHhcNMjUwMTAzMTY1NzMwWhcNMjUwNDAzMTY1NzI5WjAbMRkwFwYDVQQD
DBAqLmdsb3J5dG95YWgub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA26V7oTOY8KolQ23jm1gnQC2+B9+r02tHqNC0iCPrMuAOKsihNJ8WntvxnSbe
gr9k+NGgt2nOaeJfy3fNhX8XKqOcWV7Gczk5qAELTiIyBF6eoXM4ywbCSKs9VuhT
owaXPMKTajyeKRl7C6VXyU2W0OkOn6yp50eq2YKB3uMcFkIEmBXGzyxmHhKzqzVq
9XYcV0qlos/tsbPbdquzGWLZ6izJ7khnz0ULI/A0MEFyYfDdSAc8bP9oYN6NPgH7
lPDUfNSg4+sm4WjzLYI3jGZMt4ZGw+WPc5K7U2RzLvEE6EuWLzxP8qpHRT4MZ0OL
kJm2EhSSfKgCkkQqLq39EPjj5wIDAQABo4ICJTCCAiEwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBT7XUUUzu5p69aUVibr8vm9Y1+j6zAfBgNVHSMEGDAWgBTFz0ak6vTD
wHpslcQtsF6SLybjuTBXBggrBgEFBQcBAQRLMEkwIgYIKwYBBQUHMAGGFmh0dHA6
Ly9yMTEuby5sZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6Ly9yMTEuaS5sZW5j
ci5vcmcvMCsGA1UdEQQkMCKCECouZ2xvcnl0b3lhaC5vcmeCDmdsb3J5dG95YWgu
b3JnMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDx
AHcA5tIxY0B3jMEQQQbXcbnOwdJA9paEhvu6hzId/R43jlAAAAGULU9SAQAABAMA
SDBGAiEAxFOkA6kJLCqageysZVEocvpIFekCe5kXqxmi4MeNe2kCIQCXa7H3/de8
LROE/MkDo1OZ8O6XBqQQGWi5w7HmDh0AFAB2AOCSs/wMHcjnaDYf3mG5lk0KUngZ
inLWcsSwTaVtb1QEAAABlC1PUjwAAAQDAEcwRQIgKUsJLZqo8k7FEMZIhis+ZIyP
5LAxkyuBhGIfWZ4OwZgCIQC9kMHAbEvHJ8gRdvl/pNKBrdDW3EDYhh9nEQA3LxQt
PzANBgkqhkiG9w0BAQsFAAOCAQEAPwUxbeGttZsC5HDAV1NPwZT7viZcxPGYztdm
r5Wp/aY1LwS5xzQNjg83LRFXtca7XAH+BQUvnZhCEqDxYO7jsJelN8358Cm6xNtl
5dhZ5WIrHHsrrZigrjRMs9MYtUV1C0X9HVC+Z5uYG257M9AWk8vf1bpbSnMI5rDf
Rn3vGpSF3ILB+G9Xg0870+mckDbxUAyFTr35ywv04yB3r84zPcZeBpfbUGL98W0a
ieKr1txfbm2YxsUPCkkEQGWQxIw8SSv9eqvbuolLgK+RbjKUhsvScL1/uFy9+AOV
VvZtAhJw16Am3DGzyioP1JQlbPiv7pwQXxHnbfvxeyBFZlTxuQ==
-----END CERTIFICATE-----
subject=CN = *.glorytoyah.org

issuer=C = US, O = Let's Encrypt, CN = R11

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3392 bytes and written 406 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
**Verify return code: 20 (unable to get local issuer certificate)**
**---**
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0E2C072BE983C49B2BE642695F2F020B4166B45E4A1090FE9BE0D1B5C7228871
    Session-ID-ctx: 
    Resumption PSK: 0011DB57955EF731F93F769541124299D998197BD7C823BAB3F2C910625E631C116EE0BEC2FBA953E11544808A776895
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ff c4 b3 2f 60 f9 53 83-b5 f5 f4 ff c1 f2 69 c6   .../`.S.......i.
    0010 - c8 14 1c 61 99 1d 50 58-dd 9c ce d2 d5 9b 4e a4   ...a..PX......N.
    0020 - a2 56 36 8e 7e e2 69 dd-fd 35 e1 f9 9c c3 37 5f   .V6.~.i..5....7_
    0030 - ba 7e 4c 59 07 df a8 a7-52 90 05 8f cb 70 4f ab   .~LY....R....pO.
    0040 - 58 2d f7 2e cb 9d 82 69-52 92 ff 46 3d 1f ef da   X-.....iR..F=...
    0050 - 97 21 6c 35 2b 0e bb fa-d1 42 9b 11 f6 d8 00 2c   .!l5+....B.....,
    0060 - fc ce 07 e3 b9 0d cb dd-c0 65 8e 62 15 89 ab 69   .........e.b...i
    0070 - de f2 43 4d 8d 6c 9b f2-fc 26 c0 29 bf 2e fe 84   ..CM.l...&.)....
    0080 - 81 b8 64 38 34 95 e6 1d-5f cc ae 76 bc e7 ab dd   ..d84..._..v....
    0090 - b9 62 4b c4 96 28 74 2c-0f 83 91 36 e0 0d 1f 61   .bK..(t,...6...a
    00a0 - a9 ce 9a 39 6b f7 9f 69-21 96 8d 9d 92 d9 18 7b   ...9k..i!......{
    00b0 - 9d 4a 56 57 28 4f e9 da-07 75 26 91 bb 86 e7 3d   .JVW(O...u&....=
    00c0 - 7f cb 32 be cd 7c 7e 27-8e 40 86 51 0e 45 3b 48   ..2..|~'.@.Q.E;H

    Start Time: 1736033845
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
read:errno=0
root@meetings:/etc/letsencrypt/live/glorytoyah.org-0001#

Using openssl to verify local certs is tricky. To validate the cert try: How to verify LE cert using openssl? - #2 by _az

The chain.pem is simply the Let's Encrypt Intermediate cert used to issue your leaf (the cert.pem). This time R11 was the Intermediate (it might be R10 or others). And, fullchain.pem is just your leaf followed by that Intermediate.

I see a valid wildcard cert and chain connecting to your domain name on port 587. I may not be connecting to the same thing you are using 'localhost'.

But, the error about "local issuer" usually involves the CA Trusted Root store on your local system. openssl is not able to find ISRG Root X1. That is the root that the chain leads to.

Have you made changes since you posted? Because this test to port 587 and your domain looks good: SSL Checker

Similarly, here is part of the openssl output from my test server:

openssl s_client -connect glorytoyah.org:587 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = *.glorytoyah.org
verify return:1
---
Certificate chain
 0 s:CN = *.glorytoyah.org
   i:C = US, O = Let's Encrypt, CN = R11
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan  3 16:57:30 2025 GMT; NotAfter: Apr  3 16:57:29 2025 GMT
 1 s:C = US, O = Let's Encrypt, CN = R11
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
2 Likes