Wildcard with rfc2136 dns challenge

boistordu · May 19, 2018, 7:44pm

Hi,

sorry but it is really not clear for me in the documentation from certbot.

when you use -d example.com it’s not a wildcard certificate then ?
so that’s why *.example.com is saying that this plugin doesn’t support wildcard?

_az · May 19, 2018, 8:45pm

If you’re receiving the message that wildcards aren’t supported, then make sure you are on a recent version of Certbot.

Following the repo instructions from the Certbot website will ensure you get the latest version, as versions from your OS repository will, in all likelihood, be very old.

To include the base domain:

-d example.org

To include the wildcard as well as the base domain:

-d "*.example.org" -d example.org

boistordu · May 29, 2018, 1:58pm

Thanks for that I’m gonna try.

boistordu · May 29, 2018, 2:48pm

According to ppa.launchpad.net/certbot
The one in the new ubuntu repo bionic 18.04 is newer than in the repo from certbot.
0.23.0-1 and in certbot repo it s 0.22.2-1 is that normal ?

boistordu · May 29, 2018, 3:59pm

I’m confirming that on ubuntu it’s the same error message with all version

So the only way I got something working is installing a centos VM or certbot certonly —agree-tos —manual —prefered-challenges dns —server https//acme-v02.api.letsencrypt.org/directory -d ...

schoen · May 29, 2018, 4:58pm

What was the full command you were using before?

Wildcards do require using the DNS challenge and also the acme-v02 API.

boistordu · May 29, 2018, 5:06pm

Certbot certonly —manual —preferred-challenge dns -d ....

I was hoping also to get dns-rfc2136 working but it seems that it doesn’t accept dns-rfc2136-credentials argument so I guess a problem of version ?

schoen · May 29, 2018, 5:08pm

Hmmm, what kind of error did you see there? Can you show the complete command line (just without the actual credential) and the resulting error message?

boistordu · May 29, 2018, 5:22pm

1/ First for the dns challenge, is it because I didn’t add the —server argument ?

2/ $ sudo certbot certonly --manual --dns-rfc2136 --dns-rfc2136-credentials ‘/home/boubou/.secrets/certbot/rfc2136.ini’ -d *.example.fr -d *.example.com
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

    Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
    it will attempt to use a webserver both for obtaining and installing the
    certificate. 
    certbot: error: unrecognized arguments: --dns-rfc2136-credentials /home/boubou/.secrets/certbot/rfc2136.ini

schoen · May 29, 2018, 5:27pm

Maybe!

I know this is potentially quite confusing, but in Certbot's internal design --manual is seen as an alternative to --dns-rfc2136 (as they are both described as "plugins"). Therefore you should try this again without --manual and see if you get a different output.

boistordu · May 29, 2018, 5:29pm

1/ sorry then if it was that, I thought that the dns challenge would have the address in its code already
2/ $ sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ‘/home/boubou/.secrets/certbot/rfc2136.ini’ -d *.example.
com -d *.example.be
[sudo] password for boubou:
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --dns-rfc2136-credentials /home/boubou/.secrets/certbot/rfc2136.ini

boistordu · May 29, 2018, 5:30pm

same results then …

schoen · May 29, 2018, 5:33pm

Thanks for trying that. I’ll ask some colleagues for advice on this situation.

boistordu · May 29, 2018, 5:34pm

thanks and no problem. As I said, it’s maybe a version problem

schoen · May 29, 2018, 5:35pm

If you just use --dns-rfc-2136, without specifying the credential location, what do you see?

boistordu · May 29, 2018, 5:37pm

plugin missing… didn’t know that I had to install it. I’m going to make some test with the plugin installed

boistordu · May 29, 2018, 5:43pm

sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ‘/home/boubou/.secrets/certbot/rfc2136.ini’ -d *.example.com -d *.example.be
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/example.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
The currently selected ACME CA endpoint does not support issuing wildcard certificates.

schoen · May 29, 2018, 5:45pm

In this case I guess you’ll have to add the --server option as well.

boistordu · May 29, 2018, 5:48pm

I’m going to verify that, could you add that in the documetnation because it’s clearly not in it:certbot rfc2136

boistordu · May 29, 2018, 5:54pm

yes it works with the server argument. I still have a SERVFAIL(I did another post for that anyway) but at least it works

Wildcard with rfc2136 dns challenge

What would you like to do?

1: Keep the existing certificate for now 2: Renew & replace the cert (limit ~5 per 7 days)

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)