Certbot - Nginx with catch-all subdomain results an error

My Nginx host setting is below.

server_name ple.app ~^(?[^.]+).ple.app;

this works well with nginx to catch-all subdomains.

But with certbot, it results an error. (certifications are issues to ple.app , *.ple.app)

2024-04-03 18:24:07,840:DEBUG:certbot.util:Not suggesting name "~^(?[^.]+).ple.app"
Traceback (most recent call last):
File "/snap/certbot/3643/lib/python3.8/site-packages/certbot/util.py", line 389, in get_filtered_names
filtered_names.add(enforce_le_validity(name))
File "/snap/certbot/3643/lib/python3.8/site-packages/certbot/util.py", line 575, in enforce_le_validity
raise errors.ConfigurationError(
certbot.errors.ConfigurationError: ~^(?[^.]+).ple.app contains an invalid character. Valid characters are A-Z, a-z, 0-9, ., and -.

Is Certbot actually erroring out (i.e.: quitting due to this error) or is it just a debug message in your log?

Because if I read that code correctly:

it would "catch" the error message, log the debug message, but continu anyway.

If you require a wildcard certificate it's probably best to select the domains on the command line, base domain name and wildcard domain name, using the -d option, instead of relying on the nginx installer to extract the hostnames from the nginx configuration.

2 Likes

The Certbot --nginx plugin does not support it although Certbot has other methods which would. (and, I am not certain the plugin does not support all regular expressions in the server_name)

That would not avoid the issue as you are still using the --nginx plugin. That plugin parses the nginx config. Worse, that command won't work at all since you are requesting a wildcard cert but that plugin only supports HTTP Challenges. A wildcard cert requires a DNS Challenge.

As noted already, Certbot can readily support regular expressions in the server_name using --webroot (or even --manual).

If you successfully use the --nginx plugin it will reload nginx for you. So, this statement contradicts your first suggestion. If using the --webroot method you use the --deploy-hook to reload nginx or various other ways.

This looks like you copy/pasted from some AI bot. Please do not do that. Such info from today's bots is often misleading or just wrong. And if you did do not pass it off as your own.

4 Likes