Wildcard with rfc2136 dns challenge


#1

Hi,

sorry but it is really not clear for me in the documentation from certbot.

when you use -d example.com it’s not a wildcard certificate then ?
so that’s why *.example.com is saying that this plugin doesn’t support wildcard?


#2

If you’re receiving the message that wildcards aren’t supported, then make sure you are on a recent version of Certbot.

Following the repo instructions from the Certbot website will ensure you get the latest version, as versions from your OS repository will, in all likelihood, be very old.

To include the base domain:

-d example.org

To include the wildcard as well as the base domain:

-d "*.example.org" -d example.org

#3

Thanks for that I’m gonna try.


#4

According to ppa.launchpad.net/certbot
The one in the new ubuntu repo bionic 18.04 is newer than in the repo from certbot.
0.23.0-1 and in certbot repo it s 0.22.2-1 is that normal ?


#5

I’m confirming that on ubuntu it’s the same error message with all version

So the only way I got something working is installing a centos VM or certbot certonly —agree-tos —manual —prefered-challenges dns —server https//acme-v02.api.letsencrypt.org/directory -d ...


#6

What was the full command you were using before?

Wildcards do require using the DNS challenge and also the acme-v02 API.


#7

Certbot certonly —manual —preferred-challenge dns -d ....

I was hoping also to get dns-rfc2136 working but it seems that it doesn’t accept dns-rfc2136-credentials argument so I guess a problem of version ?


#8

Hmmm, what kind of error did you see there? Can you show the complete command line (just without the actual credential) and the resulting error message?


#9

1/ First for the dns challenge, is it because I didn’t add the —server argument ?

2/ $ sudo certbot certonly --manual --dns-rfc2136 --dns-rfc2136-credentials ‘/home/boubou/.secrets/certbot/rfc2136.ini’ -d *.example.fr -d *.example.com
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

    Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
    it will attempt to use a webserver both for obtaining and installing the
    certificate. 
    certbot: error: unrecognized arguments: --dns-rfc2136-credentials /home/boubou/.secrets/certbot/rfc2136.ini

#10

Maybe!

I know this is potentially quite confusing, but in Certbot’s internal design --manual is seen as an alternative to --dns-rfc2136 (as they are both described as “plugins”). Therefore you should try this again without --manual and see if you get a different output.


#11

1/ sorry then if it was that, I thought that the dns challenge would have the address in its code already
2/ $ sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ‘/home/boubou/.secrets/certbot/rfc2136.ini’ -d *.example.
com -d *.example.be
[sudo] password for boubou:
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --dns-rfc2136-credentials /home/boubou/.secrets/certbot/rfc2136.ini

#12

same results then …


#13

Thanks for trying that. I’ll ask some colleagues for advice on this situation.


#14

thanks and no problem. As I said, it’s maybe a version problem


#15

If you just use --dns-rfc-2136, without specifying the credential location, what do you see?


#16

plugin missing… didn’t know that I had to install it. I’m going to make some test with the plugin installed


#17

sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ‘/home/boubou/.secrets/certbot/rfc2136.ini’ -d *.example.com -d *.example.be
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/example.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
The currently selected ACME CA endpoint does not support issuing wildcard certificates.


#18

In this case I guess you’ll have to add the --server option as well.


#19

I’m going to verify that, could you add that in the documetnation because it’s clearly not in it:certbot rfc2136


#20

yes it works with the server argument. I still have a SERVFAIL(I did another post for that anyway) but at least it works