Certbot nginx expand fails for subdomains

My domain is: portwenn.net

I ran this command: certbot --expand --nginx -d portwenn.net,nextcloud.portwenn.net

It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: nextcloud.portwenn.net
Type: unauthorized
Detail: 34.198.182.201: Invalid response from Portwenn NextCloud Server "\n\n\nPortw"

My web server is (include version): nginx version: nginx/1.22.0

The operating system my web server runs on is (include version):

FreeBSD nextcloud 13.1-RELEASE FreeBSD 13.1-RELEASE n245376-eba770b30ff TRUENAS amd64

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.29.0

Hello, first post and a noob at certificates and webhosting. I have a self hosted server. I have a no-ip DDNS service with a registered domain. I have it set for wildcards and I have nextcloud.portwenn.net redirected to portwenn.net.

The certificate is successfully created for portwenn.net and I can access from interenet. All route trace tests are successful for domain and subdomains. I would like to add cert for subdomains so I can redirect to specific ports as I enable various services.

It is possible I am doing this all wrong as I am new to this. I cannot seem to find another post that addresses my issue in a way I can understand. Any help is appreciated.

It looks like you have set up this redirect using what's called an "iframe redirection". This is sometimes called URL Masking.

This isn't going to work for the purposes of SSL or getting an SSL certificate.

You need to point your subdomain at your main domain using DNS (with a DNS A or CNAME record in no-ip), and then set up a redirection on your nginx web server.

4 Likes

Ok thank you. When I have some time I will take a look at see if I can figure how to change my records at no-ip.

However, I don't know how to set up a redirect on my nginx server. I can search around for that but if anyone has a "best practice" I would appreciate some advice.

The tricky part is I am setting up various services on a TrueNAS machine. What I am doing here is just for the NextCloud instance. I think once I get the no-ip records straight, I will want only the nextcloud.portwenn.net certificate for the NextCloud jail. Other services will have their own jail and probably each of those will have just one subdomain certificate.

Please let me know if I am on the right track or not. Thanks for the help.

1 Like

I have figured out how to create CNAME records a no-ip. I think I had mistakenly thought that I could only have one CNAME record due to the updater client pointing to the root domain and the subdomains had to be redirects. So I have created CNAME records for my subdomains which should allow me to send services to various ports.

I tried to delete certs for the old domains and now my nginx server is broken. There is a section in the user guide on "safely deleting certificates" that I think I am going to have to go through. After I clear out all previous domains I will try to basically start over and I should only need one subdomain per server. Hopefully that will simplify the setup. This time I will keep track of changes with git so I can tag working commits and restore it if I break something.

If anyone has any advice on how to reset all certs I would appreciate some guidance. Thank you.

1 Like

To recap the current status:

  1. Your nginx server is sending out a TrueNAS default cert.
  2. Your nginx is redirecting http requests for both domains to https
  3. You never got a cert for your nextcloud domain - only your portwenn.net name
  4. I don't see any CNAMEs for these domains.

Let's start with seeing what certbot has by showing result of this:

certbot certificates
3 Likes

Thank you for the help.

I tried to "safely delete certificates" according to the certbot docs and at this point my nginx server is totally broken. I cannot manage to restore a self signed cert and certbot certificates returns nothing because I removed everything manuall.

I tried these steps and it seems I got it working again:

  1. I tried to recreate the self signed certs with
    openssl req -nodes -batch -x509 -newkey rsa:2048 -keyout /usr/local/etc/letsencrypt/self-signed-privkey.pem -out /usr/local/etc/letsencrypt/self-signed-cert.pem -days 356

Not sure what good this did as I could not find out where to refer to it. This step may be useless.

  1. I cleared out the old /usr/local/etc/nginx/conf.d/nextcloud.conf by copying the nextcloud.self-signed.conf to nextcloud.conf. But that didn't help.

  2. Having cleared out everything I decided to basically start over from here.
    certbot --nginx --domain nextcloud.portwenn.net

  3. Edit /usr/local/etc/nginx/nginx.conf:
    truenas -> nextcloud.portwenn.net

  4. service nginx restart

  5. Restart the NextCloud app from TrueNAS plugins page.

  6. Now you will have too many redirects. For some reason the /usr/local/etc/nginx/conf.d/nextcloud.conf has too many server and listen lines. I made the following chagnes:

################################################################################

server {
listen 443 ssl http2;
server_name _;
->
server {
#listen 443 ssl http2;
#server_name _;

################################################################################
include conf.d/nextcloud.inc;
}

server {

location ^~ /.well-known/acme-challenge {

->
include conf.d/nextcloud.inc;
#}

#server {

################################################################################

location ^~ /.well-known/acme-challenge {


}

location / {
   return 301 https://$host:443$request_uri;
}

server_name nextcloud.portwenn.net; # managed by Certbot

->
}

#location / {
#   return 301 https://$host:443$request_uri;
#}

server_name nextcloud.portwenn.net; # managed by Certbot

################################################################################

  1. service nginx restart

Now both direct LAN ip self-signed and url work. Thank for helping, I hope this helps someone else.

So in the end, my issue was not needing to add subdomains. I had my DDNS set up wrong, I needed to add CNAME record for the subdomain at no-ip and the updater client in my router takes care of the DDNS updating. Now I only need one domain and that simplifies my problem.

The resources I used for all this are:

Main NextCloud on TrueNAS tutorial:

Infinite redirect fix:

Certbot docs:
https://eff-certbot.readthedocs.io/en/stable/using.html

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.