Cannot use newly generated certificate

robinvh · March 1, 2020, 9:59am

My domain is:
hsaconfluente.nl

I ran this command:
sudo certbot certonly --manual -d ‘*.hsaconfluente.nl’

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for hsaconfluente.nl

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y

Please deploy a DNS TXT record under the name
_acme-challenge.hsaconfluente.nl with the following value:

a3tSImSKIkXsCSGT1dSax6xc4P5Y0PEgdqXrJ3EMU3A

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hsaconfluente.nl-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hsaconfluente.nl-0001/privkey.pem
Your cert will expire on 2020-05-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

My web server is (include version):
Nodejs 12.13

The operating system my web server runs on is (include version):
Ubuntu 18.04.3 (LTS) x64

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Problem: I already had a certificate, but that is expiring, therefore i wanted to renew it. This is what i did to renew it. Now however, it generated a new certificate in the folder etc/letsencrypt/live/hsaconfluente.nl-0001/. But as soon as i linked to that from my index.js file, it makes my connection not private when i try to acces the webpage.

JuergenAuer · March 1, 2020, 10:08am

Hi @robinvh

you use certonly, so your webserver isn't reloaded. And if a new folder (0001) is created, you have to change your configuration, so the correct file is used.

https://certbot.eff.org/docs/using.html

PS: Checking your domain you use the certificate - https://check-your-website.server-daten.de/?q=hsaconfluente.nl

CN=*.hsaconfluente.nl
	01.03.2020
	30.05.2020
expires in 90 days	*.hsaconfluente.nl - 1 entry

But used with hsaconfluente.nl that's invalid, because a wildcard certificate doesn't work with your main domain.

Create one certificate with two domain names - hsaconfluente.nl + *.hsaconfluente.nl.

mnordhoff · March 1, 2020, 10:20am

What does "sudo certbot certificates" output?

For what it's worth, Certbot has a DigitalOcean DNS plugin available via sudo apt install python3-certbot-dns-digitalocean. (It hasn't been updated recently, but I think it's still good.)

Exactly what URL did you access? What error message did you get?

robinvh · March 1, 2020, 10:25am

sudo certbot certificates outputs:
Found the following certs:
Certificate Name: hsaconfluente.nl-0001
Domains: *.hsaconfluente.nl
Expiry Date: 2020-05-30 08:09:35+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/hsaconfluente.nl-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/hsaconfluente.nl-0001/privkey.pem
Certificate Name: hsaconfluente.nl
Domains: hsaconfluente.nl
Expiry Date: 2020-03-02 14:54:02+00:00 (VALID: 1 day)
Certificate Path: /etc/letsencrypt/live/hsaconfluente.nl/fullchain.pem
Private Key Path: /etc/letsencrypt/live/hsaconfluente.nl/privkey.pem

i accessed https://hsaconfluente.nl and got “This server could not prove that it is hsaconfluente.nl ; its security certificate is from *.hsaconfluente.nl . This may be caused by a misconfiguration or an attacker intercepting your connection.”

robinvh · March 1, 2020, 10:27am

trying to create one certificate with two domain names gives an error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
An unexpected error occurred:
Error creating new order :: Cannot issue for “hsaconfluente.nl + *.hsaconfluente.nl”: Domain name contains an invalid wildcard. A wildcard is only permitted before the first dot in a domain name
Please see the logfiles in /var/log/letsencrypt for more details.

mnordhoff · March 1, 2020, 10:46am

Wildcards precisely apply to one "level" of subdomain, as it were. *.hsaconfluente.nl matches abc.hsaconfluente.nl and def.hsaconfluente.nl and so forth, but not a.b.c.d.e.f.hsaconfluente.nl or even hsaconfluente.nl.

The two domains need to be specified as two separate command line options, e.g.:

sudo certbot certonly --manual -d hsaconfluente.nl -d '*.hsaconfluente.nl'

system · March 31, 2020, 10:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.