Certbot authenticator error with webroot setting

Question

I am trying to obtain an SSL certificate with certbot and the --webroot setting. My current command is:

sudo certbot certonly --webroot -w <path> -d <URL> -d <*.URL>

Every time I run the command I get this error:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

I tried every similar command I found. Please share some help.

I am using ubuntu 18 with the newest certbot version. I also tried certbot-auto

Answer 1

I want to provide some further reading on this for anyone else struggling - and I'll explain why every solution still didn't work!

Great advice from Letsencrypt ...

https://community.letsencrypt.org/t/client-with-the-currently-selected-authenticator-an-authenticator-script-must-be-provided-when/153921

https://letsencrypt.org/docs/challenge-types/ - see DNS-01. Basically Certbot has to connect with your DNS provider/api to create temporary records to verify your domain.

BUT ... not all providers allow this ...

https://community.letsencrypt.org/t/dns-providers-who-easily-integrate-with-lets-encrypt-dns-validation/86438

And it turns out mine (Namecheap) doesn't. So in short Wildcards + Certbot + Namecheap are not physically possible!

Answer 2

I figured it out: with the http verification (webroot) it is not possible to obtain wildcards (<*.url>).

But it is possible with a DNS challenge (Reference).

Here is an example command for a manual / DNS challenge wildcard certifiat request:

sudo certbot certonly --manual -d *.<domain> -d <domain> --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server acme-v02.api.letsencrypt.org/directory