Certbot --nginx multidomain port 80 open

This is a fresh install on a newly created ubuntu 2022, installed certbot with snap. been testing my proof of concept reverse-proxy locally and now wanting to add ssl. Only port 80 open at the moment. port 80 goes to the default nginx page at this point.

Since I am doing multiple subdomains will dns challenges work?

I would like to get started. If I try to do just localtest.live and www.localtest.live and it works can I add the other domains with another run?

Nothing helpful in the letsencrypt.log beyond the results seen below.

My domain is: localtest.live

I ran this command: sudo certbot -v --nginx -d *.localtest.live

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for *.localtest.live
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

My web server is (include version): nginx 1.18

The operating system my web server runs on is (include version): ubunut 2022 server

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): probably am running with user account where sudo is always on so all commands are sudo ...

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no - using ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6

You requested a wildcard cert which is fine. But, you also requested to use the --nginx plugin which only supports HTTP Challenges. You must use a DNS Challenge to get a wildcard cert.

You can only use discrete names with HTTP Challenges. See Background here

Managing numerous domains takes some planning. Not sure I know enough about your future plans to advise well. But, generally, I like to have one cert for each nginx server block. If a server block has multiple names (like root and www subdomain) then get one cert for those two names. If it has 4 names then a cert with those 4 and so on.

If you have very many names a wildcard is a good alternative. But, setting up automated DNS Challenges often takes more work. With large numbers of domains you can also reach the Let's Encrypt rate limit of 50 certs per week for same root domain.

Although --nginx would technically try to be used as an authenticator and installer.
I also don't see how it could be used for either of those:

• wildcard authentication requires DNS-01 authentication
• nginx should have a hard time matching *.localtest.live to an actual vhost
  [but one could argue that "server_name *.localtest.live" should match]

nginx itself supports wildcard names in server_name (even * on the end) but the Certbot --nginx plugin does not. At least not for authentication.

I wonder if the --nginx plugin was used only as the installer if it would match a wildcard name authenticated with dns-challenge? Do you know?

I don't - I have the same wonder.
Like can you mix and match:
manual DNS authentication with nginx installation

This is what I am going to do.
start out with the base domain + www.

2nd step add the most needed real subdomain and see how it goes.

I'll post back.

I successfully installed and deployed certs for base domain and www base domain.

I will add on subdomains one at a time.

Are those subdomains serving the same content [from the same vhost]?

they are serving different content - some just for our staff - some for customers - some just hanging out in the public sphere.

Developers come in over vpn or ssh depending.

Then I would recommend that you use separate certificates [one for each vhost].

One cert per subdomain is what is working. I just added our fileserver subdomain and all is well. I have a few more to deal with but one of them is getting shut down by our packet sniffer in http mode to the extent that I had to drive into work to clear the problem. - not your problem.

Cert renewals should be done 30 days in advance of their expirations.
[that is normally enough to prevent the need for immediate attention]
Anyway, I'm glad you were able to resolve the issue.

Packet sniffing can become addictive and some will eventually sniff more than they should - LOL

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.