1

Topic: Letsencrypt wildcard certificate

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.1 MARIADB edition.
- Deployed with iRedMail Easy or the downloadable installer? Downloadable installer
- Linux/BSD distribution name and version: Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

My ISP provides me with a static IP that resolves to my-domain.com, all queries for *.my-domain.com return the same IP address.

When I installed iRedMail I used mail.my-domain.com for the LetsEncrypt certificate but I would now like to change it to a wildcard certificate. I tried the command below with no luck, what do I need to use for the authenticator to make it work?

sudo certbot certonly --webroot --agree-tos --email me@example.com -d my-domain.com,*.mydomain.com -w /var/www/html/ --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Letsencrypt wildcard certificate

I could be wrong here, but I think you're going to need to use a -d flag for each domain you want to certify, not comma separated, eg:

certbot certonly --webroot --agree-tos --email me@example.com -d mydomain.com -d *.mydomain.com -w /var/www/html/ --dry-run

Also, given the error:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

I was never able to get certbot working properly with the webroot method, what I did was use the CloudFlare plugin (only applicable if you use CF for your DNS management)

If you want to give this a try, see instructions:
get your CF API key and save to a file, eg /etc/letsencrypt/cloudflare.passwd

dns_cloudflare_email = user@domain.tld
dns_cloudflare_api_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

give file 0600 permissions: eg chmod 600 /etc/letsencrypt/cloudflare.passwd

Install plugin

apt-get install certbot python3-certbot-dns-cloudflare

Run certbot to get your certs

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.passwd -d mydomain.com -d *.mydomain.com --dry-run

3

Re: Letsencrypt wildcard certificate

In the end I've gone for the following which worked:

certbot certonly --webroot --agree-tos --email me@example.com -d my-domain.com,mail.mydomain.com,www.my-domain.com -w /var/www/html/

Looking through the LetsEncrypt documentation the wildcard approach would have required me updating a DNS TXT record every time I wanted to renew.