Use #letsencrypt to generate a wildcard domain certificate

By | June 26, 2019

I am an old user of letsencrypt that just found out that my old way of renewing my set of certificated is no longer supported.

When running the usual “certbot renew” command, that was manually renewing my certificates, resulted in the error:

2019-04-06 17:38:19,072:WARNING:certbot.renewal:Attempting to renew cert (blog.voina.org) from /etc/letsencrypt/renewal/blog.voina.org.conf produced an unexpected error:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.

Looking on the Internet I found out that due to security issues the TLS-SNI-01 validation support that I was using was fazed out. Of course my certificates had to expire in the first week of April 🙂
See here the announcement for End-of-Life for All TLS-SNI-01 Validation Support

Then I decided to see how can I use the new wildcard domain certificate feature from letsencrypt. That would mean that I can use a single certificate for all my subdomains.

Here bellow is the log of command to manually issue a wildcard domain certificate. Note that –manual is for manual mode (make sure to stop your http server before running this command), –preferred-challenges dns will expect the challenge as a dns TXT entry :

[root@nas1 ~]# certbot certonly --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): voina.org, *.voina.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for voina.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.voina.org with the following value:

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/voina.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/voina.org/privkey.pem
   Your cert will expire on 2019-07-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Important to note that when you get to line 23 you will have to connect to your domain registrar and add to the DNS entry for your domain the TXT key as intructed. In my case I connected to cPanel and edit this on the page of the registrar. Make sure to see the entry active and wait some time to make sure the DNS entry is propagated.

As you can see above from now on I can renew my wildcard certificate using the same “certbot renew” command. It turns out this is not true !!!

In fact the only way to renew is the following:

 certbot certonly --manual -d 'voina.org, *.voina.org' --preferred-challenges dns

It seems the –manual is the problem here. If I tried “certbot renew” I got the error:

The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (voina.org) from /etc/letsencrypt/renewal/voina.org.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/voina.org/fullchain.pem (failure)

2 thoughts on “Use #letsencrypt to generate a wildcard domain certificate

  1. George Valentin Voina Post author

    Update: I moved my DNS provider to NamesCheap. The one and only thing where you have to be careful: DO NOT add the TXT entries as “_acme.voina.org”. NamesCheap by default adds the domain prefix to the TXT entry. So the correct TXT entry in the form from the web is:
    Name: _acme , Value: provided key
    I lost several days with this 🙂

    Reply
  2. George

    One of the great advantages of using a DNS challenge is that you do not have to do the procedure of issuing the certificate on the actual web server machine. You can use any machine connected to the internet and then copy the certificate and keys on your server.

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.