Add subdomain into existing certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mrtrobotics.com

I ran this command:

command: certonly --webroot --webroot-path=/var/www/html --email elearning@wemakerobot.com --agree-tos --no-eff-email **--expand** -d mrtrobotics.com -d www.mrtrobotics.com **-d edu.mrtrobotics.com**

It produced this output:

certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Plugins selected: Authenticator webroot, Installer None
certbot | Renewing an existing certificate
certbot | Performing the following challenges:
certbot | http-01 challenge for edu.mrtrobotics.com
certbot | Using the webroot path /var/www/html for all unmatched domains.
certbot | Waiting for verification…
certbot | Challenge failed for domain edu.mrtrobotics.com
certbot | http-01 challenge for edu.mrtrobotics.com
certbot | Cleaning up challenges
certbot | Some challenges have failed.
certbot | IMPORTANT NOTES:
certbot | - The following errors were reported by the server:
certbot |
certbot | Domain: edu.mrtrobotics.com
certbot | Type: unauthorized
certbot | Detail: Invalid response from
certbot | https://www.mrtrobotics.com/content-18/ [149.28.180.33]: "
certbot | html>\n\n\n
certbot | charset=“UTF-8”>\ncontent - MRT Robotics | Coding,
certbot | Robotics, and STEM Edu"
certbot |
certbot | To fix these errors, please make sure that your domain name was
certbot | entered correctly and the DNS A/AAAA record(s) for that domain
certbot | contain(s) the right IP address.

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: Vultr

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I just would like to expand my certificate for edu.mrtrobotics.com
and I am only getting an error.

nginx.conf

server {
listen 80;
listen [::]:80;

server_name mrtrobotics.com www.mrtrobotics.com;

location ~ /.well-known/acme-challenge {
    allow all;
    root /var/www/html;
}

location / {
    rewrite ^ https://$host$request_uri? permanent;
}

}

server {
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name edu.mrtrobotics.com;

ssl_certificate /etc/letsencrypt/live/mrtrobotics.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mrtrobotics.com/privkey.pem;

include /etc/nginx/conf.d/options-ssl-nginx.conf;

location / {
    proxy_pass https://127.0.0.1/edu$request_uri;
    proxy_set_header Host mrtrobotics.com;
}

}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mrtrobotics.com www.mrtrobotics.com;

index index.php index.html index.htm;

root /var/www/html;

server_tokens off;

ssl_certificate /etc/letsencrypt/live/mrtrobotics.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mrtrobotics.com/privkey.pem;

include /etc/nginx/conf.d/options-ssl-nginx.conf;

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# enable strict transport security only if you understand the implications

location / {
    try_files $uri $uri/ /index.php$is_args$args;
}

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass wordpress:9000;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
}

location ~ /\.ht {
    deny all;
}

location = /favicon.ico {
    log_not_found off; access_log off;
}
location = /robots.txt {
    log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
    expires max;
    log_not_found off;
}

}

docker-compose.yml

version: ‘3’

services:
db:
image: mysql:8.0
container_name: db
restart: unless-stopped
env_file: .env
environment:
- MYSQL_DATABASE=wordpress
volumes:
- ./db-data:/var/lib/mysql
command: ‘–default-authentication-plugin=mysql_native_password’
networks:
- app-network

wordpress:
depends_on:
- db
image: wordpress:5.1.1-fpm-alpine
container_name: wordpress
restart: unless-stopped
env_file: .env
environment:
- WORDPRESS_DB_HOST=db:3306
- WORDPRESS_DB_USER=$MYSQL_USER
- WORDPRESS_DB_PASSWORD=$MYSQL_PASSWORD
- WORDPRESS_DB_NAME=wordpress
volumes:
- ./wordpress/:/var/www/html
- ./wordpress/php.ini:/usr/local/etc/php/conf.d/uploads.ini
networks:
- app-network

phpmyadmin:
depends_on:
- db
image: phpmyadmin/phpmyadmin:latest
restart: unless-stopped
ports:
- ‘8080:80’
env_file: .env
environment:
- PMA_HOST=db
- MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD
volumes:
- ./wordpress/php.ini:/usr/local/etc/php/php.ini
networks:
- app-network

webserver:
depends_on:
- wordpress
image: nginx:1.15.12-alpine
container_name: webserver
restart: unless-stopped
ports:
- “80:80”
- “443:443”
volumes:
- ./wordpress:/var/www/html
- ./nginx-conf:/etc/nginx/conf.d
- ./certbot-etc:/etc/letsencrypt
networks:
- app-network

certbot:
depends_on:
- webserver
image: certbot/certbot
container_name: certbot
volumes:
- ./certbot-etc:/etc/letsencrypt
- ./wordpress:/var/www/html
command: certonly --webroot --webroot-path=/var/www/html --email elearning@wemakerobot.com --agree-tos --no-eff-email –expand -d mrtrobotics.com -d www.mrtrobotics.com -d edu.mrtrobotics.com

volumes:
certbot-etc:
wordpress:
db-data:

networks:
app-network:
driver: bridge

1 Like

You have this in the port 80 virtualhost for mrtrobotics.com and www.mrtrobotics.com, but it’s missing in the port 80 virtualhost for edu.mrtrobotics.com.

Try including it there.

4 Likes

Thank you for your answer

I was actually using proxy_pass before get certificate. I think it was a problem.
and I was missing what you mentioned as well!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.