how do i generate https for wildcard?
server {
server_name subdomain.domain.com www.subdomain.domain.com *.subdomain.domain.com ~^(.*)\.subdomain\.domain\.com$;
}
currently, for normal domains I generate certificates like this:
sudo certbot --nginx -d example.com
For wildcard just add another entry with *
sudo certbot --nginx -d *.example.com -d example.com
You can further refer here Let's Encrypt: Wildcard Certificate With Certbot
I used following to generate wildcard certificate and it worked like charm. Here we are doing dns challenge hence you should have access to your dns to make entries that will be read while create certificate.
sudo certbot certonly --manual -d *.example.com -d example.com \
--email admin#example.com --agree-tos \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory
Hope this information will help you
with your command you are issuing a Certificate via HTTP-Challenge. Let's Encrypt doesn't support issuing Wildcard-Certificates via HTTP-Challenge.
Here is a link about challenge types supported by Let's Encrypt:
https://letsencrypt.org/docs/challenge-types/
For Wildcard-certs you need to issue the Certs via DNS-Challenge. Therefore you need API-Access to your hosting provider or dynamic dns provider. Certbot offeres some Plugins for some of them, here is a link to the Certbot-DNS-Plugins-Site: https://certbot.eff.org/docs/using.html#dns-plugins
If your provider isn't listed you can't issue Wildcard-Certs with Certbot. There are some other tools which supports DNS-Challenges for Let's Encrypt like acme.sh, here is a link to the Github-Repository: https://github.com/acmesh-official/acme.sh
I hope I could help you with this information.
Bananenkönig
Related
My domain was showing as not secure on google chrome.
I logged as root to my server ran this command:
certbot certificates
It produced this output: The certbot cerificate was valid.
Found the following certificates:
Certificate Name: xyz.com
Domains: xyz.com www.xyz.com
Expiry date: 2022-01-14 (valid: 58 days)
Certificate path: /etc/letsencrypt/live/xyz.com/fullchain.pem
Private key path: ....
However, the website was showing as NOT secure.
After this I ran :
sudo systemctl restart nginx
Then the website became secure.
What can I do so that I do not need to restart nginx everytime the certificate renews?
I am using Nginx 1.14.0 on ubuntu 18.04.5
The version of my client is : certbot 0.31.0
You do not need to restart Nginx, but you do need to tell Nginx that the certificate has changed so that it can reload it. Using nginx -s reload (and probably sudo systemctl reload nginx would work too).
This can be combined with the certbot renewal command, for example:
certbot renew --post-hook "nginx -s reload"
I generated my SSL certificate for (example) a.com (it was automatically detected in my nginx config). Now, I have another domain b.com pointing to the same ipaddress as a.com but not mentioned in my nginx conf.
How can I generate an SSL certificate for both of these domains using cerbot? If I run certbot it only lets me choose a.com because it is mentioned in my nginx conf but not b.com because its not mentioned.
Thank you.
I am trying to install a Let's Encrypt SSL certificate across four sites:
mysite.com
es.mysite.com
fr.mysite.com
de.mysite.com
I ran the following command: certbot --nginx -d mysite.com -d www.mysite.com which worked fine for mysite.com, es.mysite.com, fr.mysite.com. When I ran the sudo certbot --nginx -d de.mysite.com is got the following error:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: de.mysite.com
Type: unauthorized
Detail: Invalid response from
https://de.mysite.com/.well-known/acme-challenge/te29XBKAQdQBbQxvzPTgfgaFpzM_OUj6b4gSuiuPvOI
[MY IP ADDRESS]: "\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML
1.0 Transitional//EN\"
\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\r\n<"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I then tried to install the certificate manually using the following code: certbot certonly --manual -d de.mysite.com . I was then asked Are you ok with your IP being loggged? I selected Y and hit enter. Then I followed this step:
Create a file containing just this data:
SJpIiQET8X0vehhTjmcPBrm3zsbS1p8f9Mf2oKE5l5w.SkXszSMjtmN2-3gN7kkDhgSElerR3H1MgUc9N8z70n4
And make it available on your web server at this URL:
http://de.mysite.com/.well-known/acme-challenge/SJpIiQET8X0vehhTjmcPBrm3zsbS1p8f9Mf2oKE5l5w
I pressed Enter to Continue and then got the same error:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: de.mysite.com
Type: unauthorized
Detail: Invalid response from
https://de.mysite.com/.well-known/acme-challenge/SJpIiQET8X0vehhTjmcPBrm3zsbS1p8f9Mf2oKE5l5w
[MY IP ADDRESS]: "\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML
1.0 Transitional//EN\"
\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\r\n<"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Can anyone advise how to resolve this error and successfully install the Let's Encrypt SSL certificate?
Thanks.
I managed to resolve my issue. I had to include the following in my nginx config first:
location ~ /.well-known {
allow all;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /data/wordpress/mysite/;
}
location = /.well-known/acme-challenge/ {
return 404;
}
Then I had to install the Let's Encrypt SSL certificate manually by running certbot certonly --manual -d de.mysite.com and followed the steps to successfully install the certificate.
I've start certbot process with:
sudo certbot --nginx -d example.com -d www.example.com
but I forgot to add 'www.example.com' in 'servernam' nginx virtualsite for example.com
server {
(...)
server_name example.com www.example.com;
(...)
}
then i've got the certificate but not the auto complet process to config my nginx with ssl
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for examle.com
tls-sni-01 challenge for www.example.com
Cleaning up challenges
Cannot find a VirtualHost matching domain www.example.com. In order for Certbot to correctly perform the challenge please add a corresponding server_name directive to your nginx configuration: https://nginx.org/en/docs/http/server_names.html
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
It's like I wrote just:
cerbot --certonly --standalone -d example.com
because I have just the certificate, now the config on nginx it's ok, i can lauch again the process and overwrite all the old values ? is there a problem with Let's Encrypt Certificate Authority , call again a new certificate for the same domain? what is the solution? delete all again, or complete the rest of process ( nginx config) by hand ?
It's possible with cerbot to launch again the ssl for domains already created. In my case when domains fails, and it's the first time you use certbot. Nginx config is changed but not totally , so when you try second time that will be complet and update nginx config. Certbot just update the config for the domain, and comment the old lines that it think are duplicated and inserting the new ones , addigng #manage by Certbod, so when you need to renovate your certificate Cerbot can change smartly the lines.
Example my nginx config ,with the first try, and second:
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
I ran wordpress site with this SSL tutorial. https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
I have example.com domain. and I create test.example.com sub-domain.
There's problem with connect with test.example.com it shows NET::ERR_CERT_COMMON_NAME_INVALID on chrome.
How can I connect sub domain to existed lets encrypt. and
further more, How can I connect second-domain example2.com to SSL.
As stated in Let's Encrypt FAQ Let’s Encrypt doesn't offer wildcard certificates:
Let’s Encrypt offers Domain Validation (DV) certificates. We do not
offer Organization Validation (OV), Extended Validation (EV), or
wildcard certificates, primarily because we cannot automate issuance
for those types of certificates.
If you have requested certificate just for example.com it won't work for www.example.com or test.example.com.
You need to explicitly declare every domain or subdomain in your request using -d parameter of letsencrypt or modern certbot:
letsencrypt certonly -a webroot --webroot-path=/var/www/html -d example.com -d test.example.com -d www.example.com
You can request certificate for different domains the same way:
letsencrypt certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com -d example2.com -d www.example2.com
What is your settings on your nginx server directives?
The server directives for both port 80 and port 443 should be refer to the subdomain instead of your domain. Like this:
server {
listen 80;
server_name subdomain.example.com;
return 301 https://subdomain.example.com$request_uri;
}
server {
listen 443 ssl;
server_name subdomain.example.com;
....
}
As for your second domain example2.com, it depends on what you purchased is single-domain SSL certificate or multi-domain certificate.