Adding a production domain to a test server


#1

Hi there,

I have a CentOS 7 test server with a functional Let’s Encrypt certificate (let’s call it myserver.net). I have installed a demo of my app at www.myserver.net/index.php. A potential customer wants to try it out. I would like to add a new domain & certificate to this server : mycustomer.net. Right now I don’t think I need to set up a virtual host because there is only one app installed there, with myserver.net and mycustomer.net pointing at the same index.php

So I tried : sudo certbot --apache -d mycustomer.net -d www.mycustomer.net

Is that correct ? I get an error message but I think there is an open bug report on github and they are currently trying to solve it : Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

Is there something to do about it right now or I should I wait ?

Another question, what if I only create a subdomain : mycustomer.myserver.net ? Right now I get a certificate error with Chrome. Is there an easy way to use myserver.net certificate on all its subdomains ?

Thx for your help


#2

Hi,

This means the method you choose to validate is TLS-SNI-01, Which has been disabled for security reasons.

For now, you can use webroot for new issuances.

The command correspond to webroot and your system is
$ sudo certbot --authenticator webroot --installer apache

If you really need a cert now, go for the webroot i mentioned above.
Otherwise, you can wait until a further solution came out.

That could work using webroot validation, however i’m not sure if it works using TLS-SNI-01.
Also it’s another virtual host. (Or use SAN certs)

Yes, you can use wildcard certs. However, it’s now in testing phase.

Thank you,
Steven Zhu


#3

You can also upgrade to Certbot 0.21.0 or newer.

I don’t know if new packages are available for CentOS yet. If you want to upgrade, you may have to use certbot-auto or another installation method, which comes with its own inconveniences.

You would have to issue a new certificate, with a Certbot command similar to what was used to create the certificate originally. For example, maybe:

sudo certbot --apache --expand -d myserver.net -d www.myserver.net -d mycustomer.myserver.net

Keep the rate limits in mind.

At the moment, there isn’t really another option available. However, Let’s Encrypt plans to start offering wildcard certificates February 27. You would have to upgrade Certbot, and use DNS-01 validation, but you could then get a certificate for *.myserver.net.


#4

On CentOS 7, I installed certbot using the EPEL repository. I’ve just checked and the lastest version available (including epel-testing) is 0.20.0-1

I think I will use the workaround if there is no drawback.

What is the difference between the two methods ?

sudo certbot --apache --expand -d myserver.net -d www.myserver.net -d mycustomer.myserver.net

sudo certbot --authenticator webroot --installer apache

The first command will extend the use of my previous certificate to new domains whereas the second one will create a new certificate ?

The last command will prompt me to input the new domain ?


#5

Hi,

The first one will try use TLS-SNI01 which has been disabled.
The second one is webroot, which use http-01, which hasn’t been disabled.


#6

OK, thanks for your answers !


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.