0

I have a domain (let's say example.com), and I currently have a Let's Encrypt certificate set up and properly working for example.com and www.example.com for Apache on an Amazon Linux 2 AMI EC2 instance, and I'm trying to reconfigure the certificate to set it up for a wildcard domain (i.e., *.example.com).

I SSH'ed into the EC2 instance and ran the following command in an attempt to do this (with the real domain, not example.com):

sudo certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory -d example.com -d *.example.com

Upon running that command, I get the following message:

Let's Encrypt wildcard certificate attempt

I then add a TXT record to my DNS settings in Google Domains as the prompt suggested as follows:

Google Domains DNS settings

I then verified that the TXT record is there by using the following site and inputting the _acme-challenge URL / host name:

https://dnslookup.online/txt.html

Upon confirming the record is there, I then hit Enter in the SSH console, but I get the following error:

Let's Encrypt wildcard certificate error message

What am I doing wrong that's not allowing me to issue a wildcard certificate? Any help/guidance is greatly appreciated. Thank you.

Edit: I should note that I used the following post as a starting point for this: https://community.letsencrypt.org/t/you-may-need-to-use-a-different-authenticator-plugin/115026/4

HartleySan
  • 103
  • 4
  • Why are you cross-posting the same question? On the other post, you commented on getting downvoted. This will get you downvoted and closed. Select a site and post one question. https://stackoverflow.com/questions/71669105/how-do-i-use-lets-encrypt-to-register-a-wildcard-certificate-on-an-aws-amazon-l – John Hanley Mar 31 '22 at 03:07
  • As per your original advice, I was trying to move the post to a more relevant site as well as adding more detail. That not allowed? – HartleySan Mar 31 '22 at 12:27

1 Answers1

0

I figured out the problem. When I was entering the TXT record into Google Domains, I should have only typed _acme-challenge for the host name, but I was typing _acme-challenge.example.com, which was causing the TXT record host name to be incorrect.

After I fixed that, the first challenge successfully went through, and then I had to pass a second random string challenge to get it to work.

Note that when using Google Domains, for the second TXT challenge, you should not create a new TXT record or replace the current TXT record value. Instead, you want to add a new value to the existing TXT record (while keeping the first value unedited).

Also, upon this working, I had to update the /etc/httpd/conf/httpd.conf and /etc/httpd/conf/httpd-le-ssl.conf files on the server to have a ServerAlias of *.example.com to get it to work. Don't forget to restart Apache after it's all done as well. Hopefully after doing that, it'll work for you as well.

HartleySan
  • 103
  • 4