i have the following problem. I created some wildcard certificate with certbot.
The tld and the subdomain cloud.tld work good, but it.tld doesnt. Both subdomains have a valid a-record entry. i do not understand why it.tld is "not safe" the browser says.
Your website is not using the wildcard certificate entirely. It's serving a certificate for the hostnames cloud.dennisbuehler.de, dennisbuehler.de and www.dennisbuehler.de.
Did you install the certificate into Apache after you got it?
Also note that the ACME client lego supports Netcup as a DNS provider to automate the adding and removing of the TXT record so you can automate issuance of the wildcard certificate. And the Certbot plugin certbot-dns-multi (developed by one of the Certbot developers, but technically a third party plugin for Certbot) uses lego under the hood, so you could use that plugin to automate issuance using Certbot!
And another question: do you actually require a wildcard certificate? Or is it also possible to simply extend the current certificate with the three hostnames mentioned above to include the it subdomain?
Please also note that you've often generated more certificates than required: crt.sh | dennisbuehler.de
Looks like you're often issuing the wildcard certificate multiple times within a few days. I'm not sure why you would do that? In general it seems certificates for your domain are issued multiple times in a row since you started using Let's Encrypt back in 2021.. Please only issue a certificate once and renew it after 60 days, not earlier.
root@celeste:/home/dtm# certbot --expand -d it.dennisbuehler.de
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for it.dennisbuehler.de
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/wordpress-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/wordpress-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/wordpress-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/wordpress.conf to ssl vhost in /etc/apache2/sites-available/wordpress-le-ssl.conf
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/it.dennisbuehler.de/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/it.dennisbuehler.de/privkey.pem
Your cert will expire on 2023-10-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew all of
your certificates, run "certbot renew"
If you like Certbot, please consider supporting our work by:
Yeah, Certbot is stupid in that way. It didn't recognise your other already present certificates, because Certbot requires you put all hostnames using -d on the command line, even if you just want to add a single hostname to an already existing certificate.
E.g., if you already have a certificate for foo.example.com and bar.example.com using certbot -d foo.example.com -d bar.example.com and you'd want to addbaz.example.com to that existing certificate, you'd want to run certbot --expand -d foo.example.com -d bar.example.com -d baz.example.com unfortunately.