I’d been attempting to switch from http preferred challenges for cert renewal/verification. The reason is that the certbot program fails in cases where if I have existing domains in the cert adding more domains or subdomains to existing certs fails. Basically when you try to add new domains or where the subdomain is new to an existing domain that’s listed in the cert, certbot using “–preferred-challenges http” fails with error messages that do not make sense to the average person, even those that that used Letsencrypt since their inception.
In my case I had to add two domains to my cert and also to add a series of subdomains for each new domain to make the domain operate just like the existing ones would. I also had to add a couple subdomains and/or correct the spelling of a subdomain or two. When I issued the certbot command, which, BTW, was the same command that I issued to generate the cert to begin with, certbot just spewed errors relating to being able to contact and/or write a file to disk. Obviously it wants to write to verify that you own it.
I had thought about wildcard domains for a while and did a bit of research and read up on how to generate wildcard certs. The purpose behind a wildcard cert is to provide a method of adding new subdomains without the need to reissue a cert containing the subdomain. Also, a wildcard cert when queried doesn’t disclose to hackers which subdomains you are offering, hence creating new targets for them. If they know the subdomains they know that services are running on those, and they can target them. With a wildcard cert they can’t see the subdomains and hence have no idea what you are running.
In doing this I jumped in and created the command to request a wildcard cert. In my situation I also have a reverse proxy where the reverse proxy is actually run from a container in Proxmox. That’s another story. When I felt I had a valid command I issued it with the –dry-run option of certbot. This ran through each domain (twice) in order to generate a acme-challenge record to be added to the DNS record at the registrar. As each one came up I added a TXT record to the domain with the data it wanted. However what it appeared to ask was to have a DNS record where the host field was _acme-record.<domain> and then the value field to be the hashed value that they also provided. I attempted to interpret this and came up with with I though were 2 TXT records for each domain (total of 8) and when done I completed these steps certbot said the final step was to press enter to do the verification. The script didn’t say to wait for any period of time before doing so. I also wasn’t sure the script wasn’t going to ask further questions. The first time I execute this it failed dumping (spamming the screen) will all sorts of failure message.
I thought about them, verified what I’d done and after becoming baffled I went to Reddit to pose a question. I got no responses whatsoever.
I then did a bit more research and I found the answer. The answer was not to create a “host” entry of _acme-challenge.<domain>, rather just create a host entry of “_acme-challenge” and then put the hashed portion in the value field.
My reading essentially said that Namecheap fills the extra part in so if you add it it is in there twice thus causing the challenge to fail.
I ran through the command one more time creating new TXT records. When I hit enter it ran through the challenges but error’d out on two of the domains. I reviewed them and noted I’d missed adding a TXT record for the domain, as well as that the certbot program hadn’t asked me for all of them. I reviewed the command line for the domain entry and it clearly showed both. Luckily I only had to provide new TXT records for the missing two. I was worried about having to go through all 16 entries again. When that was done I successfully had a wildcard cert that applied to all the domains. Due to the wildcard nature I only need create a DNS record with the subdomain at the registrar and the wildcard cert will handle it. I need not get the full cert reissued just because I added a new subdomain.
This was for my email server. I needed the wildcard cert for the new domains that I wanted to add to the postfix setup. I changed the /etc/postfix/main.cf file to point to the new wildcard cert and created an email account on my android device only to find that the email client responded saying that it wasn’t included. I then decided to look at other config files related to postfix and found dovecot also had reference to the certs. I correct that and restarted the service and bingo everything worked. I then reissued that certbot command in the proxy container and it pulled down the wildcard certs too. I then went from container to container in proxmox (one container for each site) and changed the apache conf file related to each site to point to the new wildcard cert. Launching Firefox, going to the site, and looking at the cert information showed that it was indeed using the wildcard cert.
The key here is that in the “host” field in Namecheap’s DNS entry (for the site) you need to just put in there “_acme-challenge” and nothing else, then fill in the value field with the other piece of data that the certbot program provides.