Certbot - Nginx with catch-all subdomain results an error

namukcom · April 3, 2024, 9:39am

My Nginx host setting is below.

server_name ple.app ~^(?[^.]+).ple.app;

this works well with nginx to catch-all subdomains.

But with certbot, it results an error. (certifications are issues to ple.app , *.ple.app)

2024-04-03 18:24:07,840:DEBUG:certbot.util:Not suggesting name "~^(?[^.]+).ple.app"
Traceback (most recent call last):
File "/snap/certbot/3643/lib/python3.8/site-packages/certbot/util.py", line 389, in get_filtered_names
filtered_names.add(enforce_le_validity(name))
File "/snap/certbot/3643/lib/python3.8/site-packages/certbot/util.py", line 575, in enforce_le_validity
raise errors.ConfigurationError(
certbot.errors.ConfigurationError: ~^(?[^.]+).ple.app contains an invalid character. Valid characters are A-Z, a-z, 0-9, ., and -.

Osiris · April 3, 2024, 9:43am

Is Certbot actually erroring out (i.e.: quitting due to this error) or is it just a debug message in your log?

Because if I read that code correctly:

github.com

certbot/certbot/blob/a7674bd45a90e421b18ee00f60943ec170320499/certbot/certbot/util.py#L377-L392


      
          def get_filtered_names(all_names: Set[str]) -> Set[str]:
              """Removes names that aren't considered valid by Let's Encrypt.
          
              :param set all_names: all names found in the configuration
          
              :returns: all found names that are considered valid by LE
              :rtype: set
          
              """
              filtered_names = set()
              for name in all_names:
                  try:
                      filtered_names.add(enforce_le_validity(name))
                  except errors.ConfigurationError:
                      logger.debug('Not suggesting name "%s"', name, exc_info=True)
              return filtered_names

it would "catch" the error message, log the debug message, but continu anyway.

If you require a wildcard certificate it's probably best to select the domains on the command line, base domain name and wildcard domain name, using the -d option, instead of relying on the nginx installer to extract the hostnames from the nginx configuration.

MikeMcQ · April 3, 2024, 1:57pm

The Certbot --nginx plugin does not support it although Certbot has other methods which would. (and, I am not certain the plugin does not support all regular expressions in the server_name)

That would not avoid the issue as you are still using the --nginx plugin. That plugin parses the nginx config. Worse, that command won't work at all since you are requesting a wildcard cert but that plugin only supports HTTP Challenges. A wildcard cert requires a DNS Challenge.

As noted already, Certbot can readily support regular expressions in the server_name using --webroot (or even --manual).

If you successfully use the --nginx plugin it will reload nginx for you. So, this statement contradicts your first suggestion. If using the --webroot method you use the --deploy-hook to reload nginx or various other ways.

This looks like you copy/pasted from some AI bot. Please do not do that. Such info from today's bots is often misleading or just wrong. And if you did do not pass it off as your own.

system · May 3, 2024, 1:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error getting validation data - NGINX Server	8	5257	March 25, 2018
"Unauthorized" "Invalid response" Help	9	1454	August 18, 2021
Certbot, Nginx, wildcards Help	5	92	March 2, 2025
Certbot nginx Challenge failed Help	7	2146	August 13, 2023
Problems with nginx with many configs Help	2	420	April 23, 2021

Certbot - Nginx with catch-all subdomain results an error

Related topics