I think I found the problem. To confirm, please either post your logs or check that they contain an error message like Requested domain .example.com is not a FQDN because it contains an empty label

Logs are usually located at /var/log/letsencrypt/letsencrypt.log.

Yes thats what appears in log.

FYI The log dir /var/log/letsencrypt/ is not 'tab-able' by non-root users, which may trip up some people.

2018-09-19 09:58:49,450:DEBUG:certbot.util:Not suggesting name "_"
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 310, in get_filtered_names
    filtered_names.add(enforce_le_validity(name))
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 526, in enforce_le_validity
    "Valid characters are A-Z, a-z, 0-9, ., and -.".format(domain))
certbot.errors.ConfigurationError: _ contains an invalid character. Valid characters are A-Z, a-z, 0-9, ., and -.
2018-09-19 09:58:49,452:DEBUG:certbot.util:Not suggesting name ".example.com"
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 310, in get_filtered_names
    filtered_names.add(enforce_le_validity(name))
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 522, in enforce_le_validity
    domain = enforce_domain_sanity(domain)
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 601, in enforce_domain_sanity
    raise errors.ConfigurationError("{0} it contains an empty label.".format(msg))
certbot.errors.ConfigurationError: Requested domain .example.com is not a FQDN because it contains an empty label.

For users:

Use -d example.com -d *.example.com to specify the domains.

For devs:

Ok so what's going on here is that we have a check that does domain.split('.'), and makes sure that none of the entries in the list are empty. Nginx special-cases .example.com as meaning both example.com and *.example.com in one. Previously, we didn't support wildcards at all, so it made sense not to show this.

This check happens in certbot/util.py, so it's consistent between Nginx and Apache.

The best fix on our end is probably to expand the domain into being read as both domains inside the Nginx plugin, before it goes through the check.

We may also need to do the same thing in Apache.

But then, we have the UX conundrum that this will also work when Nginx is set as authenticator, erroneously displaying wildcard domains when we can't actually get them.

But then, we have the UX conundrum that this will also work when Nginx is set as authenticator, erroneously displaying wildcard domains when we can't actually get them.

On second thought, this is probably fine, because then the user can run again and select a different domain or use a different authenticator. We should make sure that the error message that happens when you do that is good.

@ciarancourtney, any chance you'd be up for submitting a PR to fix this?

@ciarancourtney, any chance you'd be up for submitting a PR to fix this?

Sure, I'll take a look

Awesome, let me know if you have any questions or run into any snags.

Do we think this issue will be resolved for the release next week?