Article Directory
1. Update certificate error
-
Problem description
When updating the SSL certificate, a too many failed authorizations error occurs -
Cause Analysis
The domain name to be updated currently has too many trigger failures in one hour, and it will take a while to verify.
Note: Official tip: https://letsencrypt.org/docs/rate-limits/
In fact, the most important thing is that we use certbot to apply for too many free certificates. It is recommended to apply for a pan-domain certificate
2. Let's Encrypt pan-domain ssl certificate application
Here we still use Certbot to issue.
Official website documentation: https://certbot.eff.org/docs/using.html
- The installation method directly using the homepage of the official website cannot use the latest Let's Encrypt v2 API, add parameters here
--server https://acme-v02.api.letsencrypt.org/directory
- The command now is:
certbot certonly --standalone -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory
- Result prompt:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
- The reason is that there is no DNS verification, and parameters need to be added:
--preferred-challenges dns
- After digging through the official documents, I found that the generic domain name needs dns-01 verification. The document states that the verification method can be automatically verified, but a plug-in needs to be installed, and the DNS service provider is the following service provider:
cloudflare
cloudxns
digitalocean
dnsimple
dnsmadeeasy
google
luadns
nsone
rfc2136
route53
- I use free analysis, there is no API to automatically verify, so add parameters:
--manual
- To summarize, the final command is:
certbot certonly --preferred-challenges dns --manual -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory
Prompt to add TXT record when issuing certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for *.aattec.com
Performing the following challenges:
dns-01 challenge for aattec.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.aattec.com with the following value:
1q3iA_qE3i7ytfNU-xSs0x4mhfij4TXuoXXlxbrQDMQ
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Analyze the TXT record on the domain name management interface, wait about five minutes for it to take effect, and then press Enter
Just wait for the issuance to complete
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/aattec.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/aattec.com-0001/privkey.pem
Your certificate will expire on 2023-06-12. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le