Cannot create certificate for a subdomain

I installed letsencrypt on my domain following the instructions from an application installation script for FusionPBX. The encryption worked fine, but I cannot add encryption for a subdomain. I added the subdomain to my A and AAAA records. I get an error when I try to rerun letsencrypt with the subdomain.

Does anyone know the correct way to add a subdomain using dehydrated, which was the method I used when I followed the installation script for FusionPBX.

My domain is: pyrtelcom.net

I ran this command: ./letsencrypt.sh

It produced this output:

root@localhost:/usr/src/fusionpbx-install.sh/debian/resources# ./letsencrypt-auto -d exemple.com -d subdomain.mydomain.com --dry-run
-bash: ./letsencrypt-auto: No such file or directory

root@localhost:/usr/src/fusionpbx-install.sh/debian/resources# ./letsencrypt.sh -d exemple.com -d subdomain.mydomain.com --dry-run

Domain Name: mydomain.com subdomain.mydomain.com
Email Address: me@myemail.com
fatal: destination path ‘dehydrated’ already exists and is not an empty directory.

INFO: Using main config file /etc/dehydrated/config

  • Account already registered!

INFO: Using main config file /etc/dehydrated/config

Processing mydomain.com with alternative names: subdomain.mydomain.com

My web server is (include version):

The operating system my web server runs on is (include version):debian 9

My hosting provider, if applicable, is: linode

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @lewsr

there

is your error. Your subdomain port 80 works, but there is a redirect https, port 443 doesn’t work.

If you want to use http validation, a working port 80 is required (without a redirect) or a redirect with a working destination is required.

Looks like a bad idea having a redirect http -> https if you don’t have a working certificate.

Hello Sir, and thank you for your response to my question. I checked my iptables and got this output:

root@localhost:/etc/iptables# cat rules.v4

Generated by iptables-save v1.6.0 on Tue Feb 4 15:12:39 2020

*mangle
:PREROUTING ACCEPT [30:1695]
:INPUT ACCEPT [30:1695]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [77:10003]
:POSTROUTING ACCEPT [77:10003]
-A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 0x1a
-A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 0x1a
COMMIT

Completed on Tue Feb 4 15:12:39 2020

Generated by iptables-save v1.6.0 on Tue Feb 4 15:12:39 2020

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [77:10003]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “friendly-scanner” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “friendly-scanner” --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “sipcli/” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “sipcli/” --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “VaxSIPUserAgent/” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “VaxSIPUserAgent/” --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “pplsip” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “pplsip” --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “exec.” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “exec.” --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “multipart/mixed;boundary” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “multipart/mixed;boundary” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 16384:32768 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
COMMIT

Completed on Tue Feb 4 15:12:39 2020

root@localhost:/etc/iptables#

It appears to my untrained eye that port 443 is open.

FYI, I have never been able to get the wildcard or the subdomain portions of letsencrypt to work when using the dehydrated app.

I think my server is missing the config files to make the subdomain encryption work, but I cannot find any help files to fix this. I keep getting the following error when I try to add encryption to the subdomain:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
cat: /etc/dehydrated/certs/subdomain.mydomain.com/fullchain.pem: No such file or directory
cat: /etc/dehydrated/certs/subdomain.mydomain.com/privkey.pem: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/subdomain.mydomain.com/cert.pem’: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/subdomain.mydomain.com/chain.pem’: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/subdomain.mydomain.com/fullchain.pem’: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/subdomain.mydomain.com/privkey.pem’: No such file or directory

Remove your redirect http -> https.

Your port 80 works.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.