I ran this command: certbot certonly --standalone with webserver off, and certbot certonly --webroot with it on, same result
It produced this output:
Obtaining a new certificate
Performing the following challenges:
?[31mClient with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.?[0m
?[31mClient with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.?[0m
My web server is (include version):
Apache 2.4.18 Win64
The operating system my web server runs on is (include version):
Windows 7 x64 Enterprise
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.6.0
Just installed a fresh certbot for the first time from the link on the certbot Apache-Windows help page. Tried executing the two commands listed there. Both fail with the same message above.
This system is directly on the internet, not going through any firewall or router. And for the --webroot command, I have verified this file can be accessed: http://mediadog.com/.well-known/acme-challenge/test
So is some kind of authenticator plugin needed? Where would I find the docs for that? I am new to certbot, and the docs for Windows are terse at best. Thanks!
If you can make do without a wildcard (instead naming each domain on the certificate), that would mean you could use --webroot or --standalone.
Otherwise, you would need to find a client that supports talking to the Network Solutions API for the DNS challenge, though I am not sure if any exist, let alone for Windows.
I have CloudFlare and there is a DNS plugin framework which when I get around I might configure.
I don’t think the windows version works as seamlessly as the linux version, but once again I haven’t done full testing so take that statement with a grain of salt.
There are a few other PowerShell and Windows based clients which may be easier to use
All usual operations to create and manage an account, manage existing certificates, or select the ACME server, are supported.
Only standalone, manual and webroot authenticator plugins are supported. DNS plugins will be available soon. This means that Certbot for Windows is currently unable to automatically renew wildcard certificates, since these require a DNS plugin in order to be renewed without user intervention.
No installer plugins are supported. The Apache and Nginx plugins will be available soon, and a plugin to install certificates into IIS is under development.
Automated certificate renewals (using standalone and webroot plugins) are supported.
Note for Windows Apache or Nginx users
As described in section 5 above, Certbot for Windows currently cannot install the certificate in Apache or Nginx for you. As of the most recent release, you will have to edit your web server application’s configuration to install the certificate yourself after Certbot has obtained it. If this limitation is acceptable to you, please start from the beginning of this document to learn more about installing and using Certbot on Windows.
Thanks @_az, then the docs on the certbot site are incorrect. For when you click the “wildcard” tab there, it shows you the exact some info as for the default, which is to use --standalone or --webroot. Thanks, for now I’ll enumerate all the hosts.
Thanks @ ahaw021, I’ll give those a shot. And yeah I knew I’ll have to manually install the certificates and that DNS was not available, part of my confusion when the documented process resulted in saying I needed to do DNS!
Thanks @MediaDog, I created that documentation based on a draft documentation version from the Windows developer, who wasn’t thinking about how to make it parallel to the other Unix-oriented documentation on the site (which does indeed have separate versions for wildcard and non-wildcard). I agree that this is a mistake in our Windows documentation and needs to be fixed.
Sorry for the inconvenience, and thank you for letting us know!
