Cannot get Cert for new subdomain


#1

Hello,

I am setting up an internal QA site using .net instead of .com. I have edited my conf files to reflect ‘.net’. (this is apache)

When I attempt to run certbot on the new QA env, I get the following…

Any and all assistance is greatly appreciated!!!


IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: qa.company.net
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    Received certificate containing
    ’*.company.com, company.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.


#2

I think you generated cert for .com and not for .net. So you should generate a cert for .net and use it for the *.company.net


#3

Thank you for the reply. The problem is, I do not know how to do that. No matter what I do, it seems to send me “.com”. How do I generate a cert for “.net”?

Thank you!!!


#4

Let’s Encrypt is out here on the public Internet. Even though you’re running certbot on your local QA environment, Let’s Encrypt needs to reach the named servers from the public Internet. It seems like instead when it tries to reach these servers it instead gets to your production servers, not the QA environment.

If you can fix that, so that qa.example.net (or whatever this system is called) leads to your QA environment from the public Internet, then you should be able to go ahead successfully. I understand that it can be embarrassing to reveal the real Fully Qualified Domain Names involved, but it will be very hard for us to help diagnose problems otherwise.

On the other hand, if you know you don’t want the QA environment to be accessible from the public Internet you need to use the DNS challenge instead of TLS-SNI-01. You can do this from the very latest certbot version (0.9.1 or later should be enough) or from shell scripts such as acme.sh BUT you need to be able to change DNS entries for your system from a program, or else it’s a huge pain to do this.


#5

Hello tialarmex,

I think I know that the issue is but, I am not cleat on how to get around it. Any help you can provide will be GREATLY appreciated, may I add in advance…

The issue is that the QA site is named as follows… login-qa.company.net, while the the ‘company.net’ is set in DNS to route to our ‘company.com’ if the FQDN entered is not found…

We have another site that is configured this way and working correctly but, I cannot determine that the magic is.

Thanks so much!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.