Modify certbot manually created certificate - apache

I'm moving my website to a new server (debian9+apache).
I've installed a certbot certificate for my domain via command:
sudo certbot certonly -d www.theartstory.org --manual --preferred-challenges dns
I've used this command insead of:
sudo certbot --apache
because at that date DNS records were configured to old ip adress.
Now I need to add not-www version to this certificate. I've found a command to do this:
sudo certbot certonly --cert-name www.theartstory.org -d www.theartstory.org,theartstory.org
but it fails with error:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
How can I fix this issue?

use CMD 下面 👇🏻:
sudo certbot certonly -d "*.yourdomain.xx" -d yourdomain.xx --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
This is how I solved the problem 👆🏻
reason:Wildcard Certificates want to use DNS to renew

Related

Getting error while creating wildcard ssl using certbot

I am using certbot to create wildcard ssl certificate. I am using the below command to create a wildcard ssl certificate.
sudo certbot certonly — manual — preferred-challenges=dns — email sujith#website.com — server https://acme-v02.api.letsencrypt.org/directory — agree-tos -d *.website.com
I am getting the below error,
certbot: error: unrecognized arguments: —manual —preferred-challenges=dns —email sujith#website.com —server https://acme-v02.api.letsencrypt.org/directory —agree-tos
Kindly help me fixing this issue.
I myself fixed the issue, It was due to - in the place of --. The command should be like,
sudo certbot certonly --manual --preferred-challenges=dns --email sujith#website.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.website.com

Problem in getting SSL Certificate for my domain at digitalocean droplet through Let's Encrypt

I was trying to get SSL certificate for my domain on PhpMyAdmin Droplet by following the steps mentioned at "https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04". My server is Ok. I have DNS A entry for my domain.com and CNAME entry for my www.domain.com
As I went to execute "sudo certbot --apache -d your_domain -d www.your_domain"
It asked me to enter email address and after that it gave me the following error.
"An unexpected error occurred:
The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
"
I tried with root and non root admin user with sudo but still the same. Any help is appreciated
Best
I got it resolved. So first run
sudo apt update
sudo apt install --only-upgrade certbot
and then
sudo certbot --apache -d your_domain -d www.your_domain
worked for me

Certbot-auto --manual plugin not working

I already generated certificates using certbot-auto with --manual plugin. Now the certbot version upgraded from 0.25.1 to 0.26.1, now i’m not able to use the --manual option as it says deprecated in the certbot 0.26.1.
This is the command i used to generate the certificate -
`./certbot-auto certonly --manual -d *.example.com -d example.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory`
Is there any other related plugin like --manual? where i can generate the TXT record and update it in my aws route53.
There is the Certbot Route53 Plugin
From the documentation:
certbot certonly \
-n --agree-tos --email DEVOPS#COMPANY.COM \
--dns-route53 \
-d MY.DOMAIN.NAME

Letsencrypt add domain to existing certificate [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I am just simply trying to add the domain test.example.com to the certificate that already exists for example.com. How do I add a domain to my existing certificate and replace the old certificate?
I have tried these few commands
./letsencrypt-auto certonly --cert-path /etc/letsencrypt/archive/example.com --expand -d test.example.com
./letsencrypt-auto certonly -d example.com --expand -d test.example.com
Result: both created a brand new cert in a new folder test.example.com-0001
./letsencrypt-auto certonly --renew-by-default --expand -d test.example.com
Result: error folder test.example.com already exists.
./letsencrypt-auto renew --expand -d orange.fidka.com
Result: error, I can only renew if my certificate is expired.
You need to specify all of the names, including those already registered.
I used the following command originally to register some certificates:
/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
--email me#example.com \
--expand -d example.com,www.example.com
... and just now I successfully used the following command to expand my registration to include a new subdomain as a SAN:
/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
--expand -d example.com,www.example.com,click.example.com
From the documentation:
--expand "If an existing cert covers some subset of the requested names, always expand and replace it with the additional names."
Don't forget to restart the server to load the new certificates if you are running nginx.
Apache on Ubuntu, using the Apache plugin:
sudo certbot certonly --cert-name example.com -d m.example.com,www.m.example.com
The above command is vividly explained in the Certbot user guide on changing a certificate's domain names. Note that the command for changing a certificate's domain names applies to adding new domain names as well.
Edit
If running the above command gives you the error message
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
follow these instructions from the Let's Encrypt Community
This is how i registered my domain:
sudo letsencrypt --apache -d mydomain.com
Then it was possible to use the same command with additional domains and follow the instructions:
sudo letsencrypt --apache -d mydomain.com,x.mydomain.com,y.mydomain.com
You can replace the certificate by just running the certbot again with ./certbot-auto certonly
You will be prompted with this message if you try to generate a certificate for a domain that you have already covered by an existing certificate:
-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/<domain>.conf)
It contains these names: <domain>
You requested these names for the new certificate: <domain>,
<the domain you want to add to the cert>.
Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
Just chose Expand and replace it.
I was able to setup a SSL certificated for a domain AND multiple subdomains by using using --cert-name combined with --expand options.
See official certbot-auto documentation at https://certbot.eff.org/docs/using.html
Example:
certbot-auto certonly --cert-name mydomain.com.br \
--renew-by-default -a webroot -n --expand \
--webroot-path=/usr/share/nginx/html \
-d mydomain.com.br \
-d www.mydomain.com.br \
-d aaa1.com.br \
-d aaa2.com.br \
-d aaa3.com.br
this worked for me
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d
domain.com -d www.domain.com

Let's Encrypt configuration on Apache

When I run
./letsencrypt-auto
I can choose my domains, but in the next step it fails on
IMPORTANT NOTES:
- The following 'urn:acme:error:connection' errors were reported by
the server:
Domains: xx.co.uk
Error: The server could not connect to the client for DV
Does apache needs to be listening on port 443 already or what else could be a problem?
Apache 2.2, Ubuntu 14 LTS Trusty
I just started using Let's Encrypt. My server runs Apache 2.2 on Ubuntu 12.04. I found it much easier to use Let's Encrypt certonly --webroot mode. Here's an example:
./letsencrypt-auto certonly --webroot \
--renew-by-default --agree-tos \
--email postmaster#analysisandsolutions.com \
-w /var/www/www.analysisandsolutions.com/public_html \
-d www.analysisandsolutions.com -d analysisandsolutions.com
Then I edited the relevant virtual host file in sites-available to contain:
SSLCertificateFile /etc/letsencrypt/live/www.analysisandsolutions.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.analysisandsolutions.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.analysisandsolutions.com/privkey.pem
Finally call service apache2 reload
I also use the resulting certificate for Postfix SMTP and Dovecot IMAP connections.
I made a shell script to simplify the process. More details about all of this can be found on my blog.
Here is an answer.
Yes Apache needs to be listening on 443. Easiest way is to make you domain working with self signed SSL certificate.
Then run
./letsencrypt-auto --apache
And Let's Encrypt does all for you. Amazing!