Wildcard request: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

trusktr · December 2, 2023, 10:50pm

Hello! I'm getting the same error as with

Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA - #92 by bharathn86

and

Wildcard request: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

I ran this command:

certbot certonly \
    --non-interactive \
    --expand \
    --email joe@trusktr.io \
    --agree-tos \
    --standalone \
    --dry-run \
    --domain trusktr.io \
    --domain '*.sk8.earth'

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for trusktr.io and *.sk8.earth
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): A custom server written by me with Node.js.

The operating system my web server runs on is (include version): Arch Linux with certbot 2.7.4 running on Python 3.9.2 (I don't remember why I'm not on latest Python, but presumably there was an error with 3.10.x at the time when I was setting it up, and maybe that error is gone by now so I should try again).

Both domains are working (but as you can see you'll get a HTTPS warning in your browser):

So they are ready to go, I just need to figure how to register a cert for a wildcard. For these and any future ones, for example:

The current workaround is to list all the domains in the certbot command manually, like so:

certbot certonly \
    --non-interactive \
    --expand \
    --email joe@trusktr.io \
    --agree-tos \
    --standalone \
    --dry-run \
    --domain trusktr.io \
    --domain sk8.earth \
    --domain sk8.or.die.on.sk8.earth \
    --domain we.will.forever.sk8.earth \
    --domain we.live.to.sk8.earth \
    --domain etc.sk8.earth

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for trusktr.io and 4 more domains
The dry run was successful.

I want to reduce work by not having to manage lists in multiple places, so I was hoping a wildcard would do the trick.

danb35 · December 2, 2023, 10:56pm

The problem, and the solution, are the same as in the two topics you linked. Let's Encrypt requires you use DNS validation in order to obtain a wildcard cert, and the --standalone authenticator you've told certbot to use can't do DNS validation. You'll need to use the DNS authenticator, preferably with a plugin that will automatically make the necessary updates to your DNS records.

trusktr · December 2, 2023, 11:36pm

Thanks for explaining that, but I've no idea what to do. Can please show sample commands for this case (considering that I manage my DNS records manually via Linode)?

I currently have all the sub-domains I'll be using listed in my DNS settings (A/AAAA), and I would like to automate that too but that's for another day.

EDIT: Is this the best example? Let’s Encrypt generating Wildcard SSL certificate using Certbot | by Marcin Cuber | Medium

danb35 · December 3, 2023, 12:05am

No, it really isn't--anything that uses manual mode can hardly be considered a "best example" of how to use Let's Encrypt.

There's a certbot plugin to do DNS validation with Linode; I'd suggest you start here:
https://certbot-dns-linode.readthedocs.io/en/stable/

petercooperjr · December 3, 2023, 1:11am

Also, be aware that a wildcard cert is only for one level. A cert for *.example.com works for a.example.com and b.example.com, but not for c.d.example.com. (And there's no way to have more than one wildcard in a name.)

rg305 · December 3, 2023, 2:36am

You can use a cert with multiple wildcard SAN entries to cover those (and similar) names IF you replace all the subdomain "dots" with "dashes".
Like:

    --domain sk8-or-die.on.earth \
    --domain we-will.forever.earth \
    --domain we-live-to.sk8.earth \
    --domain etc.sk8.earth \
    --domain when-given-a-choice-it-is-always-to-sk8.earth

[and you have to actually own the domains - I see three domain names "on.earth", "forever.earth", and "sk8.earth"]

trusktr · December 3, 2023, 4:04am

Oops, I had a typo when replicating, they are all *.sk8.earth domains, I only have sk8.earth not on.earth or forever.earth. Updated that OP.

Ah, that's too bad. I was hoping to make a wildcard including any number of periods in the names.

The DNS A/AAAA records allow *.sk8.earth and it catches everything including a.b.c.d.e.f.g.sk8.earth (but HTTPS is not set up).

MikeMcQ · December 3, 2023, 4:49am

Yes, DNS wildcard matching works differently than cert wildcard matching. Don't blame Let's Encrypt. It's how the entire PKI system works including how browsers (and other TLS clients) match URL names against the cert SANs list and all that.

trusktr · December 3, 2023, 4:55am

Ah. That really throws a wrench in my plans. I wanted to auto-generate the sub-domains at any point in time.

trusktr · December 3, 2023, 5:11am

Oh well, I can't even get --dns-linode-credentials to work. I followed instructions, and I get a 401 when trying

certbot certonly \
    --non-interactive \
    --expand \
    --email joe@trusktr.io \
    --agree-tos \
    --dns-linode \
    --dns-linode-credentials /path/to/credentials.ini \
    --domain trusktr.io \
    --domain '*.sk8.earth'

where credentials.ini has

dns_linode_key = <secret_key>

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for trusktr.io and *.sk8.earth
Error adding TXT record: 401 Client Error: UNAUTHORIZED for url: https://api.linode.com/v4/domains/1989170/records

Where would I make a feature request for SSL wildcards that can cover any level subdomain?

petercooperjr · December 3, 2023, 12:10pm

You might want to look at software like Caddy instead for your web server, which can handle automatically requesting a cert for a specific hostname as soon as it starts being used.

My guess would be the CA/Browser forum, but I wouldn't hold your breath.

9peppe · December 3, 2023, 12:25pm

I am not sure if DNS catches that. But TLS SANs don't. Wildcards only apply to one label. No dots.

Osiris · December 3, 2023, 12:29pm

I'm not sure, but you might need to be a member of the CA/Browser Forum before you could make such suggestions.

rg305 · December 3, 2023, 4:55pm

It should.
[mine does]

trusktr · December 4, 2023, 9:44pm

Yeah, from my testing my DNS does, but anything not covered by SSL gets the unsecure treatment in the browser tab.

That is interesting! Thanks for sharing that!

schoen · December 5, 2023, 2:42am

You can join as an observer, but you have to complete some paperwork first. At that point, you can make suggestions, but the members don't have to vote on them. I used to be an observer representative there, and I could make suggestions, and the members didn't have to vote on them.

I think multi-level wildcards are something that many people have wanted for a long time and that might have some practical uses. But it's also something that has some major potential for abuse or accidents (imagine a hypothetical certificate valid for *.com that included all subdomains... that would be terrifying).

The rule that you can't have wildcards apply to more than one level of subdomain has existed for long enough that I expect a lot of people at CA/B Forum would be very uneasy with getting rid of it now. I'd personally like to see that discussion happen in order to clarify everyone's understanding of the risks and potential mitigations, but I expect it would end up rejecting the idea.

rg305 · December 5, 2023, 2:58am

@schoen, in your hypothetically terrifying example, the wildcard had only one "dot": "*.com"
As more dots are added the less terrifying the example becomes.

How many dots would a wildcard cert require for it to be considered "relatively safe"? Four? Five?
I can't imagine that this would freak anyone out:
*.sub3.sub2.sub1.example.com
Could then also be used for all things left of it:
(*)*.sub3.sub2.sub1.example.com

Such "wildercards" could then have two requirements:

can only include one * [which must be the left most character in the name]
must contain five [non-consecutive] periods in the name

trusktr · December 5, 2023, 6:31am

That would obviously not be allowed because ownership on the internet starts with the second level, enforced by the fact that websites can only be visited with second-level domains (example.com). It simply wouldn't fly.

What might be doable is an additional syntax, one that can only apply for 3rd level or higher, f.e. **.foo.com or **.sub.foo.com

Osiris · December 5, 2023, 7:13am

The baseline requirements actually do allow *.com and *.co.uk et c.

9peppe · December 5, 2023, 10:25am

Not actually true. There were a few examples/experiments with websites running on a top level domain directly.