Letsencrypt сertbot docker getting from wildcard certificate?

B

Bogdan2019-07-03 16:57:32

Digital certificates

Bogdan, 2019-07-03 16:57:32

Hello. Tell me please. I have a registered domain, this is the script that runs cerbot in the docker and receives a certificate, everything works as it should.

sudo docker run \
  --rm \
  --name certbot \
  --volume "$(pwd)/certbot/conf:/etc/letsencrypt" \
  --volume "$(pwd)/certbot/www:/var/www/certbot" \
  certbot/certbot certonly \
  --non-interactive \
  --webroot \
  --agree-tos \
  --manual-public-ip-logging-ok \
  --domains domain.name \
  --email [email protected] \
  --webroot-path /var/www/certbot

Now you need to get a certificate for subdomains, for example my.domain.name
Googled the solution, but it doesn’t work

sudo docker run \
  --rm \
  --name certbot \
  --volume "$(pwd)/certbot/conf:/etc/letsencrypt" \
  --volume "$(pwd)/certbot/www:/var/www/certbot" \
  --volume "$(pwd)/:/var/log/letsencrypt" \
  certbot/certbot certonly \
  --non-interactive \
  --webroot \
  --agree-tos \
  --manual-public-ip-logging-ok \
  --domains "*.domain.name" \
  --domains domain.name \
  --email [email protected] \
  --webroot-path /var/www/certbot \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --preferred-challenges dns

It gives the following message in the console:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin
IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

There are no keys. Please tell me how to get it, thanks.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

Z

zzamzam, 2019-07-04
@bogdan_uman

Bogdan , in order not to manually renew the certificate by writing TXT records in DNS, you need to use a supported DNS, such as cloudflare or cloudns. The general meaning is that certbot (or some acme.sh) will access the DNS via API using some login and password or token to create the necessary TXT records, they will be checked on the letsencrypt side, after which a wildcard will be issued -certificate. In this case, wildcard certificates will normally be updated automatically.
Here , for example, you can find a list of supported DNS providers
. In this case, the command to issue a certificate through certbot will look something like this (using cloudflare as an example):

certbot certonly --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 10 \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --preferred-challenges dns-01 \
  --noninteractive \
  --agree-tos \
  --email <[email protected]> \
  -d <your-domain.name> \
  -d <*.your-domain.name>

D

Dmitry Shitskov, 2019-07-03
@Zarom

You cannot get a wildcard certificate through the webroot plugin. Use one of the dns plugins or manual.