Can i get certs for multi level wildcard

My domain is: ad.marcuse.net.au and marcuse.net.au
My hosting provider, if applicable, is: cloudflare
i got Letsencrypt in a docker = https://hub.docker.com/r/linuxserver/letsencrypt/

Hello,
i been trying for awhile now to get certs for multi level domain and i just cant find a solution.

im trying to access servers and applications within both primary and sub domains.
E.g
server1.ad.marcuse.net.au
and
server.marcuse.net.au

can someone please help me get the certs to work on both.
i dont mind switching out of the docker if thats the only way.
thank you

Multi-level wildcards don’t exist at all - either don’t use wildcards or use a certificate with multiple wildcard names, e.g.:

*.marcuse.net.au
*.ad.marcuse.net.au

I tried to make the multiple wildcard but it came up with errors.

TZ=Austrlia/Sydney
URL=marcuse.net.au
SUBDOMAINS=wildcard
EXTRA_DOMAINS=*.ad.marcuse.net.au
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=ben@marcuse.net.au
STAGING=
2048 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for marcuse.net.au will be requested
EXTRA_DOMAINS entered, processing
Extra domains processed are:  -d *.ad.marcuse.net.au
E-mail address entered: ben@marcuse.net.au
dns validation via cloudflare plugin is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ad.marcuse.net.au
dns-01 challenge for marcuse.net.au
dns-01 challenge for marcuse.net.au

Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain ad.marcuse.net.au
Challenge failed for domain marcuse.net.au
Challenge failed for domain marcuse.net.au
dns-01 challenge for ad.marcuse.net.au
dns-01 challenge for marcuse.net.au
dns-01 challenge for marcuse.net.au

Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: ad.marcuse.net.au
Type:   unauthorized
Detail: Incorrect TXT record "ca3-285091a9f3c345b7a5640c9d15f690d2"
found at _acme-challenge.ad.marcuse.net.au

Domain: marcuse.net.au
Type:   unauthorized
Detail: Incorrect TXT record "ca3-285091a9f3c345b7a5640c9d15f690d2"
found at _acme-challenge.marcuse.net.au

Domain: marcuse.net.au
Type:   unauthorized
Detail: Incorrect TXT record "ca3-285091a9f3c345b7a5640c9d15f690d2"
found at _acme-challenge.marcuse.net.au

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

_acme-challenge.ad.marcuse.net.au. 599 IN CNAME marcuse.net.au.

Can you comment on why you have this CNAME’d? It’ll be the cause of your issue.

That’s not a great idea because it affects all record types (in this instance, it messes up the TXT records).

I think what you probably want is a wildcard A record pointing to the same IP as your base domain.

Assuming Cloudflare implements empty non-terminals and wildcards in the standard way, any wildcard is a bad idea, because it will temporarily cease to exist while the _acme-challenge TXT records exist.

Edit: I should have said, relying entirely on one wildcard would be a bad idea. Using them carefully would work.

Can you please tell me how i should setup cloudflare then ?

I don’t know how you want to set it up.

You could add two wildcard A records, “*” and “*.ad”, and remove the wildcard CNAME record.

Do you really need wildcard DNS records, or wildcards in your certificates?

You know that Cloudflare’s cheaper plans don’t support proxying wildcard records, right?

And that, if you do proxy things, Cloudflare’s default certificate is only for marcuse.net.au and *.marcuse.net.au?

everything under *.ad is internal only.
im using the letsencrypt docker which allows proxy within
so i changed my a records to be what u advised.

image.png950×247 9.54 KB

im still getting an error:

image.png1038×549 25.2 KB

You’ve created several certificates recently.

Is that web server configured to use one of them?

Does it need to be reloaded or restarted?

I get a “connection refused” error trying to connect to https://pfsense.ad.marcuse.net.au/, FYI.

i rebooted the machine what is running the letsencrypt.
i reloaded and still getting certificate error.
i will wait an hr and see if it works.
accessing all *.ad is internal so that is why you cant access it https://pfsense.ad.marcuse.net.au

How many domains do you need this to work on? 2 or more?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.