Adding a subdomain

I already have rpiweather.net setup with SSL and now want to add a few subdomains, e.g. sandbox.rpiweather.net. I have the CNAME for sandbox pointing to rpiweather.net and created the necessary folders in /var/www for the content, which I can reach the site using http.

I tried to add the sandbox domain using certbot --expand but it errored (see below). How do you properly add a subdomain?

Does each subdomain get its own certificate, or is it the same certificate as rpiweather.net?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:rpiweather.net

I ran this command: certbot --expand -d rpiweather.net,www.rpiweather.net,sandbox.rpiweather.net,www.sandbox.rpiweather.net

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot ce rtonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: self hosting, registrar and DDNS by dynu.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

That is confusing. From your prior thread I see you were not using an installer and using --webroot method. That error sounds like you tried to change from --webroot to --nginx while also --expanding. It is not clear since you omitted key parts from the command or responses to Certbot's interactive questions.

Seeing as you already created an HTTPS server block for sandbox you should probably just continue to use --webroot.

I would also get a separate cert for your sandbox domains. Having a single cert with domain names across multiple server blocks is harder to manage as you add new server blocks or remove them.

Did you also create a dedicated server block for your sandbox domains for HTTP (port 80) along the lines of my recommendation in your prior thread? You should have a server block for port 80 and a separate one for port 443.

The Certbot command is then just the same as you used earlier just with sandbox domains. Once you get the cert update the path for the ssl_certificate files to use the new cert path.

sudo certbot certonly --weboot -w (nginx root folder) -d sandbox.rpiweather.net,www.sandbox.rpiweather.net

Should I change to the --nginx option? Does that make things easier to setup and maintain? I foresee adding 3-6 more subdomains over time. This web related stuff isn't my milieu, so I pretty much piece things together as needed from these online forums

Yes, my plan is to copy the one you help me with and add the "sandbox.rpiweather.net" wherever I see a "rpiweather.net".

No, I wasn't saying that. Just that the error message in this thread related to using some kind of Certbot "installer" (like --nginx plugin) but in your prior thread you did not use one.

I hope you meant "replace" and not "add"

What happened when you tried the certbot certonly command I suggested? The one below but now I added --dry-run so it will just test it

sudo certbot certonly --dry-run --weboot -w (nginx root folder) -d sandbox.rpiweather.net,www.sandbox.rpiweather.net

The "(nginx root folder)" should match the root folder in your HTTP (port 80) server block for your sandbox domains

Here is what I tried:

root@HomeAutomation:/var/www# certbot certonly  sandbox.rpiweather.net,www.sandbox.rpiweather.net
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: sandbox.rpiweather.net,www.sandbox.rpiweather.net
root@HomeAutomation:/var/www# certbot certonly  -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for sandbox.rpiweather.net and www.sandbox.rpiweather.net
Performing the following challenges:
http-01 challenge for www.sandbox.rpiweather.net
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
root@HomeAutomation:/var/www# ls -l
total 16
drwxr-xr-x 2 root     root 4096 Apr 14 12:45 GPStracker.rpiwaether.net
drwxr-xr-x 6 www-data pi   4096 Mar 23 07:11 html
drwxr-xr-x 5 pi       pi   4096 Apr 13 07:46 rpiweather.net
drwxr-xr-x 2 root     root 4096 Apr 16 18:46 sandbox.rpiweather.net
root@HomeAutomation:/var/www# ls -l sandbox.rpiweather.net
total 4
-rw-r--r-- 1 root root 65 Apr 14 13:14 index.html
root@HomeAutomation:/var/www# ^C
root@HomeAutomation:/var/www#

And when I selected option 2:

root@HomeAutomation:/var/www# certbot certonly  -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for sandbox.rpiweather.net and www.sandbox.rpiweather.net
Performing the following challenges:
http-01 challenge for www.sandbox.rpiweather.net
Input the webroot for www.sandbox.rpiweather.net: (Enter 'c' to cancel): /var/www/sandbox.rpiweather.net
Waiting for verification...
Challenge failed for domain www.sandbox.rpiweather.net
http-01 challenge for www.sandbox.rpiweather.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.sandbox.rpiweather.net
   Type:   dns
   Detail: DNS problem: looking up CAA for www.sandbox.rpiweather.net:
   DNSSEC: Bogus
root@HomeAutomation:/var/www#

Why didn't you just try the command example I gave you?

Anyway, something is now wrong with your DNS

A CAA record is not required but your DNS server must respond with a proper "not found". Yours does not.

You can reproduce this with https://unboundtest.com

A lookup for a CAA record will fail with a SERVFAIL. But, lookups for A record work fine.

A dnsViz report looked okay so I don't have any other suggestions. But, this DNS query failure is the reason for your latest problems.

Once you get an unboundtest query to work or even a Let's Debug test to work then you could try getting another cert

I deleted the sandbox.rpiweather.net file from the /etc/nginx/sites-enabled folder then restarted nginx. That seems to have brought rpiweather.net back online.

I did the test on rpiweather.net and got an enormous response:
unbound.txt (605.0 KB)

So now that rpiweather.net is back online what certbot command should I run to get a cert for sandbox.rpiweather.net?

Sorry, forgot to get this:

pi@HomeAutomation:/etc/nginx/sites-enabled $ sudo sudo certbot certonly --dry-run --webroot -w /etc/nginx -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for sandbox.rpiweather.net and www.sandbox.rpiweather.net
Performing the following challenges:
http-01 challenge for sandbox.rpiweather.net
http-01 challenge for www.sandbox.rpiweather.net
Using the webroot path /etc/nginx for all unmatched domains.
Waiting for verification...
Challenge failed for domain sandbox.rpiweather.net
Challenge failed for domain www.sandbox.rpiweather.net
http-01 challenge for sandbox.rpiweather.net
http-01 challenge for www.sandbox.rpiweather.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: sandbox.rpiweather.net
   Type:   unauthorized
   Detail: 2600:4040:5050:ce00:d6c2:fe84:f82f:13a7: Invalid response
   from
   http://sandbox.rpiweather.net/.well-known/acme-challenge/ZnMeC01LtN9e9qedFyUldWnfbDA4FviwV7BC0pbGlwk:
   404

   Domain: www.sandbox.rpiweather.net
   Type:   unauthorized
   Detail: 2600:4040:5050:ce00:d6c2:fe84:f82f:13a7: Invalid response
   from
   http://www.sandbox.rpiweather.net/.well-known/acme-challenge/9slSe1wiOO1qHwRRjYSQzXXqx8jtZZcQsYZNbLUUcK0:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
pi@HomeAutomation:/etc/nginx/sites-enabled $

There are two problems right now.

One is this ...

has the wrong value for the -w folder. It should be the folder named by the root setting in your nginx server block for those domain names. If you are not sure please show the nginx server block config that listens on port 80 for these names.

Second problem is your DNS is still wrong. The unboundtest.com test works fine for CAA, A and AAAA records for your registered domain rpiweather.net and its sandbox subdomain.

BUT, unboundtest.com still fails for the www.sandbox.rpiweather.net domain. The A and AAAA records are fine. But, the CAA record still gets SERVFAIL. I really don't know why that is. You should try disabling DNSSEC on your entire domain. It is most likely related to a problem with that.

If that does not help try setting up a CNAME for www.sandbox.... the same as you have for sandbox.rpi.... It is a very odd problem with your DNS.

Do you even need the www.sandbox.... name? The sandbox makes me think it is some kind of test site and if so would just the sandbox name be enough?

I think I have that problem fixed:

pi@HomeAutomation:/etc/nginx/sites-available $ sudo certbot certonly --dry-run --webroot -w /var/www/sandbox.rpiweather.net -d sandbox.rpiweather.net,www.sandbox.rpiweather.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for sandbox.rpiweather.net and www.sandbox.rpiweather.net
Performing the following challenges:
http-01 challenge for sandbox.rpiweather.net
http-01 challenge for www.sandbox.rpiweather.net
Using the webroot path /var/www/sandbox.rpiweather.net for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.sandbox.rpiweather.net
http-01 challenge for www.sandbox.rpiweather.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.sandbox.rpiweather.net
   Type:   dns
   Detail: DNS problem: looking up CAA for www.sandbox.rpiweather.net:
   DNSSEC: Bogus
pi@HomeAutomation:/etc/nginx/sites-available $

This one is beyond me. Here is a snapshot of by DDNS settings

image1135×1010 155 KB

Does any of this point to the problem?

If my earlier suggestions did not help (adding CNAME for www.sandbox.rpiweather.net or omitting it from usage) then I don't know either. It is very strange why that one name fails and the others do not.

Will need to wait for a better DNS expert than me. There are several but @rg305 might be around now or shortly.

Not exactly; But, it could be cleaned-up a bit.

Notice that the four CNAME entries all point to the base domain name.
But, if those entries were to be deleted, the first two entries would catch those names and resolve them to the exact same IPs [as the base name does].

So...
I would just delete those CNAME entries; As they add nothing to the equation.

The funny thing is ... www.sandbox.rpiweather.net has no CNAME yet the CAA query gets SERVFAIL. The sandbox.rpiweather.net has a CNAME yet the CAA query does not fail.

Do you know why that might be?

There is no DNS entry to cover that many dots:

The wildcard only covers sandbox.

That is a problem within the DNS system.
It should NOT be returning SERVFAIL for names that don't exist.

I thought DNS wildcards covered multiple levels. The cert wildcards do not.

How does this work otherwise?

 dig +noall +answer A rpiweather.net
rpiweather.net.         290     IN      A       96.233.51.171

dig +noall +answer A a.b.c.d.rpiweather.net
a.b.c.d.rpiweather.net. 120     IN      A       96.233.51.171

I guess that depends on the DNS system...
OR
You may be right; They might all resolve the IP.

Nonetheless...

NOR
For names that resolve via wildcard.

But there is no CAA wildcard only A and AAAA

And yet:

dig caa www.sandbox.rpiweather.net @ns1.dynu.com.

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> caa www.sandbox.rpiweather.net @ns1.dynu.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52191
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.sandbox.rpiweather.net.    IN      CAA

;; ANSWER SECTION:
www.sandbox.rpiweather.net. 600 IN      CNAME   rpiweather.net.

;; AUTHORITY SECTION:
rpiweather.net.         3593    IN      SOA     ns1.dynu.com. administrator.dynu.com. 18 3600 900 604800 300

;; Query time: 68 msec
;; SERVER: 162.216.242.2#53(ns1.dynu.com.) (UDP)
;; WHEN: Fri Apr 19 03:29:26 UTC 2024
;; MSG SIZE  rcvd: 131

TL;DR:

dig caa www.sandbox.rpiweather.net @ns1.dynu.com.

;; ANSWER SECTION:
www.sandbox.rpiweather.net. 600 IN      CNAME   rpiweather.net.     <<<<<<<<<<