I am using certbot/letsencrypt from the EPEL repository with apache on CentOS 7 without any issues on "normal" domain names. The certbot tool recognizes server name aliases from the virtualhost config files just fine. Renewal also works fine.
For example, a line in a virtualhost config such as:
ServerName uncovery.net
ServerAlias www.uncovery.net
results in certbot offering me to install/maintain the domain names
1: uncovery.net
2: www.uncovery.net
However, this line in my virtualhost config:
ServerName uncovery.net
ServerAlias *.uncovery.net
only shows
1: uncovery.net
when running certbot.
So I tried the following:
# certbot -d *.uncovery.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
I tried apache/webroot/standalone authenticators, all fail. The debug log states that
ConfigurationError: *.uncovery.net contains an invalid character. Valid characters are A-Z, a-z, 0-9, ., and -.
So questions:
1) How can I make the command line interface of certbot recognize the *.wildcard?
2) If that does not work, how do I manually configure the certificate?
Here is my certbot version:
Package certbot-1.0.0-1.el7.noarch already installed and latest version
Package python2-certbot-apache-1.0.0-1.el7.noarch already installed and latest version
This should work
Afterwards don't forget to point
fullchain.pemandprivkey.pemin your apache config ssl settings. usually, those located at/etc/letsencrypt/live/uncovery.net/fullchain.pem/etc/letsencrypt/live/uncovery.net/privkey.pemif you dont change those, you will still see self-signed certificate which is the apache default self-signed ssl cert.