Guidelines

This site is for tech Q&A. Please keep your posts focused on the subject at hand.

Ask one question at a time. Don't conflate multiple problems into a single question.

Make sure to include all relevant information in your posts. Try to avoid linking to external sites.

Links to documentation are fine, but in addition you should also quote the relevant parts in your posts.

Related questions

Categories

Most popular tags

bash linux question2answer puppet mysql devuan php css nginx array ubuntu powershell puppet-bolt apt jq json ruby docker certbot gitlab cron vim firefox goss ssh font partition lvm openssl dns password datetime postfix logger logging html puppet-provider service-management savegame pentiment prometheus promql grafana minecraft-java pager azure bell fluxbox nfs pip locale python tun-device openvpn mirror hetzner-cloud web-search hiera nag-screen youtube responsive-design systemctl ssh-agent windows cups printer bind request-trace label gpg shared-folder virtualbox sector raid disk environment glue-record nis tcp foreman chroot volume mount powerdns puppetdb fact network-interface systemd network java hash sha256 solr letsencrypt smtp-auth database permissions theme admin puppet-agent

Certbot requires DNS?

0 votes
2.7k views
2.7k views

I'm trying to obtain a Let'sEncrypt certificate using certbot. The certificate will be used for a service that uses the FQDN as well as a couple subdomains thereof (foo.example.org, xy.foo.example.org, ab.example.org, ...), so I thought I'd use a wildcard for the subdomains instead of listing them all individually (foo.example.org, *.foo.example.org).

However, trying to generate the certificat with certbot yields the following error:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

Full output:


me@localhost:~# certbot certonly --preferred-challenges http --webroot -w /var/www/foo -d foo.example.org -d '*.foo.example.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

The webroot in the webserver is set up correctly (I have used this kind of config for other certificates before), so it's unlikely that the problem lies there. And I've also used certbot before without a DNS challenge

Why does certbot suddenly require a DNS challenge? And how do I fix it?

My operating system is Devuan Ascii, and the certbot version is 0.28.0 from the distribution repositories.

in Sysadmin
by (100)
1 13 28
edit history

Please log in or register to answer this question.

1 Answer

0 votes
 

The problem is with the CA, not with certbot. Let'sEncrypt decided that they'll issue wildcard certificates only when authenticated via DNS. From the announcement (emphasis mine):

Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

If you can't (or don't want to) use DNS authentication you'll have to resort to listing all subdomains individually in the request.

certbot certonly --preferred-challenges http --webroot -w /var/www/foo -d foo.example.org -d xy.foo.example.org -d ab.foo.example.org ...
by (100)
1 13 28
edit history
Powered by Question2Answer
...