Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
== I have removed the template here because my problem can't be described within it. I didn't run any commands and didn't get any errors ==
My domain name is: www.badianyihou.com
I have installed a Let's Encrypt certificate with this domain name to the server (using dokku letsencrypt plugin) and it work's just fine. The website is opened and a secure connection is established.
Now I need to point another domain (www.mnnqdbk.xyz) to the same server, so I added this line to the DNS settings of the new domain:
Host Type Line(ISP) Value. TTL Status
zfw A Default 106.15.78.88 10 minute(s) Normal
Now when I try to visit www.mnnqdbk.xyz I get a warning:
The identity of this website has not been verified. Server's certificate does not match the URL.
Blockquote
This is true because my certificate only has 1 domain www.badianyihou.com
As I understand, I need to either get a new SSL certificate (probably a paid one) and add 2 domains there or somehow upgrade the current certificate (not sure if this is possible).
Please tell me what is the right thing to do for me. And give more details on how to do it.
For example, if I need to get a new certificate for 2 domains, please tell me whether this is doable through dokku letsencrypt plugin (so that I can enjoy the autorenewal with cron jobs).
Any details will be appreciated, thanks in advance!
Why would you think you'd have to pay for your new certificate?
Changing an already existing certificate is technically the same as getting a new certificate. Definitions as "upgrade" or even "renewal" are just man-made terms meant to resemble some kind of similarity between a previous certificate and a brand new certificate. A CA might have different policy between "totally new", "updates" or "renewal" based on certain contents of a certificate (mostly the subject alternative names or perhaps the keypair of the cert), but technically every certificate is newly signed and newly issued.
You can either create a new certificate just for www.mnnqdbk.xyz (and possibly also add mnnqdbk.xyz if you like) or add your new domain name to the already existing certificate, so the certificate contains both domains. It really is up to you what you think is "better" in this case. Personally, I include all subdomains of a single domain into one certificate and generate a new certificate for other domains. But it's also perfectly fine to add all hostnames into a single certificiate. Whatever floats your boat.
I really have no idea what "dokku" is, let alone how the "dokku letsencrypt" plugin works. I also haven't seen that command around much (if ever?) on this Community, so chances are great nobody here has any experience with it. Doesn't the plugin have any documentation online on how to add/remove domains to a certificate or get a new certificate? How did you set it up in the first place?
It seems there are already multiple certificates issued for crt.sh | www.mnnqdbk.xyz Did you do that or was that from a previous owner of the domain name?
Also currently when I go to www.mnnqdbk.xyz and ignore the TLS error, I'm getting the same site contents of your other domain. Is that intentionally? Or are the sites suppose to serve different content? Maybe your dokku apps need to be properly set up first?
Hey, thanks for your reply! It made me understand what needs to be done. I added the www.mnnqdbk.xyz to the dokku apps domains and renewed the certificate. It seem to have worked well, here are the logs of renewing the certificate:
Blockquote
root@iZuf6d553vzl5isdk61egyZ:~# dokku letsencrypt:enable zfw-rails
=====> Enabling letsencrypt for zfw-rails
-----> Enabling ACME proxy for zfw-rails...
Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for zfw-rails...
- Domain 'badianyihou.com'
- Domain 'www.badianyihou.com'
- Domain 'mnnqdbk.xyz'
- Domain 'www.mnnqdbk.xyz'
2021/12/23 13:13:33 No key found for account info@badianyihou.com. Generating a P256 key.
2021/12/23 13:13:33 Saved key to /certs/accounts/acme-v02.api.letsencrypt.org/info@badianyihou.com/keys/info@badianyihou.com.key
2021/12/23 13:13:34 [INFO] acme: Registering account for info@badianyihou.com
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/certs/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2021/12/23 13:13:35 [INFO] [badianyihou.com, www.badianyihou.com, mnnqdbk.xyz, www.mnnqdbk.xyz] acme: Obtaining bundled SAN certificate
2021/12/23 13:13:36 [INFO] [badianyihou.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/61254476370
2021/12/23 13:13:36 [INFO] [mnnqdbk.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/61254476380
2021/12/23 13:13:36 [INFO] [www.badianyihou.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/61254476390
2021/12/23 13:13:36 [INFO] [www.mnnqdbk.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/61254476400
2021/12/23 13:13:36 [INFO] [badianyihou.com] acme: Could not find solver for: tls-alpn-01
2021/12/23 13:13:36 [INFO] [badianyihou.com] acme: use http-01 solver
2021/12/23 13:13:36 [INFO] [mnnqdbk.xyz] acme: Could not find solver for: tls-alpn-01
2021/12/23 13:13:36 [INFO] [mnnqdbk.xyz] acme: use http-01 solver
2021/12/23 13:13:36 [INFO] [www.badianyihou.com] acme: Could not find solver for: tls-alpn-01
2021/12/23 13:13:36 [INFO] [www.badianyihou.com] acme: use http-01 solver
2021/12/23 13:13:36 [INFO] [www.mnnqdbk.xyz] acme: Could not find solver for: tls-alpn-01
2021/12/23 13:13:36 [INFO] [www.mnnqdbk.xyz] acme: use http-01 solver
2021/12/23 13:13:36 [INFO] [badianyihou.com] acme: Trying to solve HTTP-01
2021/12/23 13:13:37 [INFO] [badianyihou.com] Served key authentication
2021/12/23 13:13:37 [INFO] [badianyihou.com] Served key authentication
2021/12/23 13:13:37 [INFO] [badianyihou.com] Served key authentication
2021/12/23 13:13:38 [INFO] [badianyihou.com] Served key authentication
2021/12/23 13:13:43 [INFO] [badianyihou.com] The server validated our request
2021/12/23 13:13:43 [INFO] [mnnqdbk.xyz] acme: Trying to solve HTTP-01
2021/12/23 13:13:43 [INFO] [mnnqdbk.xyz] Served key authentication
2021/12/23 13:13:43 [INFO] [mnnqdbk.xyz] Served key authentication
2021/12/23 13:13:44 [INFO] [mnnqdbk.xyz] Served key authentication
2021/12/23 13:13:44 [INFO] [mnnqdbk.xyz] Served key authentication
2021/12/23 13:13:50 [INFO] [mnnqdbk.xyz] The server validated our request
2021/12/23 13:13:50 [INFO] [www.badianyihou.com] acme: Trying to solve HTTP-01
2021/12/23 13:13:51 [INFO] [www.badianyihou.com] Served key authentication
2021/12/23 13:13:51 [INFO] [www.badianyihou.com] Served key authentication
2021/12/23 13:13:52 [INFO] [www.badianyihou.com] Served key authentication
2021/12/23 13:13:57 [INFO] [www.badianyihou.com] Served key authentication
2021/12/23 13:14:04 [INFO] [www.badianyihou.com] The server validated our request
2021/12/23 13:14:04 [INFO] [www.mnnqdbk.xyz] acme: Trying to solve HTTP-01
2021/12/23 13:14:05 [INFO] [www.mnnqdbk.xyz] Served key authentication
2021/12/23 13:14:05 [INFO] [www.mnnqdbk.xyz] Served key authentication
2021/12/23 13:14:05 [INFO] [www.mnnqdbk.xyz] Served key authentication
2021/12/23 13:14:07 [INFO] [www.mnnqdbk.xyz] Served key authentication
2021/12/23 13:14:09 [INFO] [www.mnnqdbk.xyz] The server validated our request
2021/12/23 13:14:09 [INFO] [badianyihou.com, www.badianyihou.com, mnnqdbk.xyz, www.mnnqdbk.xyz] acme: Validations succeeded; requesting certificates
2021/12/23 13:14:10 [INFO] [badianyihou.com] Server responded with a certificate.
But now for some reason I have a warning shown when I visit www.badianyihou.com
Which should be still working fine, as the new certificate includes 4 domains: badianyihou.com, mnnqdbk.xyz, www.badianyihou.com, www.mnnqdbk.xyz
Do you know, what causes the validation failure?
P.S. answering this:
Blockquote
Also currently when I go to www.mnnqdbk.xyz and ignore the TLS error, I'm getting the same site contents of your other domain. Is that intentionally? Or are the sites suppose to serve different content? Maybe your dokku apps need to be properly set up first?