Advise on Cert creation


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:seqent.com

I ran this command: was a while ago but…
certbot --webroot -w /dir1/dir2/dir3/ --cert-name Sass -d lan136.seqent.com certonly
certbot --webroot -w /dir1/dir2/dir3/ --cert-name www.seqent.com -d www.seqent.com certonly

It produced this output: do not have any record of this now

My web server is (include version): not permitted to expose this

The operating system my web server runs on is (include version): not permitted to expose this

My hosting provider, if applicable, is: Self hosted

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

Sorry, kind of new at this.

Our primary webserver is www.seqent.com at ip x.x.x.135
We also have other domains such as seqent.biz, .org etc. as well as myotherdomain.com all pointing to the same address as www.seqent.com
Our test server is lan136.seqent.com at x.x.x.136
I created certs as above, one for www.seqent.com and one for lan136.seqent.com and they work fine
Testing against https://seqent.com suggests that the cert is untrusted and I suspect it is because I did not include -d seqent.com when I created the cert
In hindsight I think I should have created a cert with
–d seqent.com
–d seqent.biz (and .net, .info etc as listed above)
–d myotherdomain.com
I’m not sure that I have created these in the best way and am looking for some advise as to how I could have done it better. Given that wildcard certs are now available maybe this changes things again.
I’m thinking that a wildcard cert for *.seqent.com would cover off my test server and production but don’t understand what I would need to do to cover off myotherdoman.com and the seqent.biz, .net, etc that we have.

Looking for some understanding. Thanks


#2

Hi @letseq,

As long as all of the names point to the same server, you can specify up to 100 different names via -d options to Certbot, and all of the names you specify will get included in the same certificate, which will then be valid for any of them. Even now, you could re-run Certbot to issue a new certificate in place of your old one, including both www.seqent.com and sequent.com (and, if you want, any other names). How to split up the names is up to you, but you’ll get a certificate mismatch error if you don’t have some certificate installed on a server that covers the specific name that the user is accessing that server with.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.