Can Let's Encrypt work with alias?


#1

A client wanted to create a website with domain example.xyz, but extension .xyz wasn’t available at the time, so he opted to create the website using extension .abc instead, as a stop-gap. When .xyz extensions became available I set this up as an alias of example.abc on the cloud hosting package. I subsequently set up Let’s Encrypt for the domain.abc, which worked fine with the alias as well as the root domain. However, the original domain was subsequently relinquinshed. and although the website still worked fine at first, a cybersquatter has come along and taken example.abc (even though the content of the website is very niche) and since then the original Let’s Encrypt certificate has expired. This can’t be renewed, as it applies to example.abc.

Is there any way of applying a Let’s Encrypt certificate to an alias specifically? Or do I just have to create a new website on the cloud hosting package and migrate all the files and database across?


#2

Hi @alarch,

I’m not sure I fully understood your question. Let’s Encrypt is not allowed to issue any certificates to people who don’t control the domain names listed in those certificates, even if they once did control them and once were entitled to certificates for them.

Automated renewals will break if you no longer control a domain name mentioned in the certificate, but it should be possible to replace your certificate with one that no longer includes the names that you no longer control. The way of doing this depends on what software you’re using to manage the certificate. For example, if you’re using Certbot, you can run certbot certonly --cert-name example.xyz -d example.xyz -d www.example.xyz to obtain a new certificate for only example.xyz and www.example.xyz, in place of the existing certificate with certname example.xyz.


#3

Thanks for the reply schoen. The cloud hosting interface I have offers few options, and my expertise is limited in any event. The Let’s Encrypt certificates were added via an icon in their Advanced management tools panel provided by the hosting provider.

The domain that I want to apply the SSL certifcate to is an alias added via a Domain Aliases icon on the control panel for the original example.abc domain. There are no obvious configuration options.

I guess my question is a general, rather than a specific one. Can Let’s Encrypt certificates be applied to domain aliases specifically? If there is a way of doing so, (perhaps through the means you’ve already suggested) then I can ask my hosting provider whether they can action this on my behalf.


#4

I’m still not quite sure what you mean by “domain aliases” in this context… that might be a concept from your particular control panel. Is it just that the same web site content has various domain names that it can accessed under?


#5

hi @alarch

When you create a item in the help section it asks some questions not of all which are relevant however as you are using a Web Administration console it would be good to know which one you are using (PLESK, cPANEL)

Both Plesk and cPANEL have the concept of domain aliases - is this what you are talking about?

https://documentation.cpanel.net/display/ALD/Aliases
https://docs.plesk.com/en-US/onyx/customer-guide/websites-and-domains/domains-and-dns/adding-domain-aliases.65286/

Andrei


#6

Thanks for the references, Andrei.

Let’s Encrypt certificates should work fine with domain aliases in these senses, but remember that you have to actually own the domain names in question. If you no longer control example.abc, you will not be able to get any Let’s Encrypt certificates for it.


#7

Thanks very much for your time. The control panel is referred to as a Cloud Platform and nothing else. It’s certainly different from cPanel, which I’m familiar with. It seems to be a tailor-made set up, with a restricted set of options.

The domain example.abc is no longer owned, but example.xyz is owned. There was no problem at first, when example.abc was relinquished and not yet claimed by another - only when example.abc was bought by somebody else did the current difficulties arise.

The problem I have is that there doesn’t seem to be a way (for me at least) to assign the certificate to example.xyz - so the browser error messages I’m getting are still referencing the expiry of the certificate for example.abc. All I wanted to know here is whether it’s possible in principle to assign a Let’s Encrypt SSL certificate to an alias. I understand from the above that it is possible. Of course the mechanics of how that is done in my specific situation is something I would have to establish with my hosting provider.

In any event I’ve decided to migrate the website to a new area of the cloud hosting package, which should be independent of the example.abc web space. The transfer is going well, but I’m still getting certificate error messages with the new Let’s Encrypt certificates I’ve installed specifically for example.xyz (which I’ve deleted as an alias). I guess this is just a matter of allowing DNS servers to update, so I’ll have to be patient.


#8

It sounds like the trouble could be that the cloud hosting platform doesn’t acknowledge that it should no longer attempt to obtain certificates for example.abc, and then repeatedly fails to obtain them.

Some of our own software was slow in acquiring features to facilitate dropping names from existing certificates, so maybe that’s not surprising. :slight_smile:

I hope the hosting provider is able to help you.


#9

I am still confused why you just don’t get a new certificate for example.xyz and use that?

Andrei


#10

I have got a new certificate for example.xyz - but something about the setup of the old certificate for example.abc is stopping it from being implemented correctly - perhaps along the lines that schoen has suggested. In any event, my hosting provider is on the case, and have accepted that the problem and resolution lies with them. Hopefully, the matter will get resolved in the next couple of days.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.