5

I'd like to obtain one certificate working for all my subdomains *.example.com.

This works: 

certbot-auto certonly --webroot --webroot-path /home/www/example/ --domain example.com 
                                --domain www.example.com --email certbot@example.com

but this (with *.):

certbot-auto certonly --webroot --webroot-path /home/www/example/ --domain example.com 
                                --domain *.example.com --email certbot@example.com

fails with:

Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

How to use certbot-auto to generate a certificate for *.example.com?

Basj
  • 569
  • 3
  • 8
  • 27
  • 3
    You need an authenticator plugin that can do challenges over DNS. – Gerald Schneider Apr 14 '20 at 09:25
  • Thanks @GeraldSchneider but I don't really understand fully the context of this other question. Do you think you could post an answer showing how to do it in the context of my question? I think it might be interesting on its own here with a simple question wording "how to use letsencrypt with *.example.com", rather than this other question which seems less obvious "how to use DNS challenge validation" for future readers. – Basj Apr 14 '20 at 09:27
  • 1
    What for? For wildcard domains [you need DNS challenge validation](https://letsencrypt.org/docs/faq/#does-let-s-encrypt-issue-wildcard-certificates). DNS challenge validation is explained in detail in the linked question and answers (apart from the official documentation). Once your question is closed as a duplicate there is no need for further explanations, because it is obvious that the existing question also answers yours. – Gerald Schneider Apr 14 '20 at 09:57

1 Answers1

12

As mentioned in a comment, the solution is to use DNS challenge validation, like here: How to use Let's Encrypt DNS challenge validation?.

First remove your previous certificate (if needed) with:

certbot-auto delete

Then generate a new certificate with a DNS challenge:

certbot-auto -d *.example.com -d example.com --manual --preferred-challenges dns certonly

Then copy/paste the TXT challenge, into your DNS settings, something like:

_acme-challenge.example.com TXT Chs768564536576SDGdG6SQDYTZAEq

Restart apache if needed, and it works.

PS: in my case, no installation of an authenticator plugin was needed (is it probably installed out of the box?)

Basj
  • 569
  • 3
  • 8
  • 27
  • 1
    I'll add if your DNS Server isn't on the supported list for dns-api, you can delegate the `_acme-challenge` record to them, for example. `_acme-challenge IN CNAME example.com.example.net` see https://community.letsencrypt.org/t/dns-providers-who-easily-integrate-with-lets-encrypt-dns-validation/86438 for the list – Jacob Evans Apr 14 '20 at 14:47
  • 1
    Is The certificate autorenewed or I must renew it every X days? – Giancarlo Ventura May 02 '22 at 07:11