Join Log in
Score:0
avatar Server

How do I set up a Let's Encrypt wildcard certificate for Apache on an Amazon Linux 2 AMI EC2 instance?

ug flag
HartleySan

I have a domain (let's say example.com), and I currently have a Let's Encrypt certificate set up and properly working for example.com and www.example.com for Apache on an Amazon Linux 2 AMI EC2 instance, and I'm trying to reconfigure the certificate to set it up for a wildcard domain (i.e., *.example.com).

I SSH'ed into the EC2 instance and ran the following command in an attempt to do this (with the real domain, not example.com):

sudo certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory -d example.com -d *.example.com

Upon running that command, I get the following message:

Let's Encrypt wildcard certificate attempt

I then add a TXT record to my DNS settings in Google Domains as the prompt suggested as follows:

Google Domains DNS settings

I then verified that the TXT record is there by using the following site and inputting the _acme-challenge URL / host name:

https://dnslookup.online/txt.html

Upon confirming the record is there, I then hit Enter in the SSH console, but I get the following error:

Let's Encrypt wildcard certificate error message

What am I doing wrong that's not allowing me to issue a wildcard certificate? Any help/guidance is greatly appreciated. Thank you.

Edit: I should note that I used the following post as a starting point for this: https://community.letsencrypt.org/t/you-may-need-to-use-a-different-authenticator-plugin/115026/4

87
0 + 0
John Hanley avatar
cn flag
John Hanley
Why are you cross-posting the same question? On the other post, you commented on getting downvoted. This will get you downvoted and closed. Select a site and post one question. https://stackoverflow.com/questions/71669105/how-do-i-use-lets-encrypt-to-register-a-wildcard-certificate-on-an-aws-amazon-l
0
Reply
ug flag
HartleySan
As per your original advice, I was trying to move the post to a more relevant site as well as adding more detail. That not allowed?
0
Reply
Score:0
avatar Server
ug flag
HartleySan

I figured out the problem. When I was entering the TXT record into Google Domains, I should have only typed _acme-challenge for the host name, but I was typing _acme-challenge.example.com, which was causing the TXT record host name to be incorrect.

After I fixed that, the first challenge successfully went through, and then I had to pass a second random string challenge to get it to work.

Note that when using Google Domains, for the second TXT challenge, you should not create a new TXT record or replace the current TXT record value. Instead, you want to add a new value to the existing TXT record (while keeping the first value unedited).

Also, upon this working, I had to update the /etc/httpd/conf/httpd.conf and /etc/httpd/conf/httpd-le-ssl.conf files on the server to have a ServerAlias of *.example.com to get it to work. Don't forget to restart Apache after it's all done as well. Hopefully after doing that, it'll work for you as well.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.