Certbot only issued first certificate


#1

Hi. Very new to this whole ssl arena. But I now have it working for a Wordpress multisite running on Google Compute engine. Im using 'certbot-auto certonly’
I had most difficulty getting Certbot to issue subsequent certificates (several days of head scratching). In response to the prompt "Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’ to cancel): I entered
domain.co,subdomain.domain.co (note, no space, just the ‘,’).
And this resulted in a certificate only for domain.co (note. .co is the correct domain not .com)
This only started working correctly (issuing all certificates, when I entered
domain.co, subdomain.domain.co (note with the space after the ‘,’)
So, I don’t have a problem now. But I thought this observation might be useful to someone else.
Thanks Let’s Encrypt :smile:


#2

Thanks for the feedback. Glad you got it sorted :slight_smile:

I’ll flag @schoen @bmw so they can follow up with certbot.


#3

Yes, thank you for taking the time to report the issue.

I don’t have a .co domain name I can test with, but this doesn’t happen for other TLDs and no other users have reported this issue. I suspect what may have happened here is a slight misunderstanding of how Certbot works, however, I’d like to follow up and make sure there’s not a bigger issue here.

On a single run of certbot-auto certonly, only one certificate will ever be issued. The first provided domain will be used as the commonName of the certificate and all names will be added as subjectAltNames or SANs. When validating certificates, all modern software checks subjectAltNames so it doesn’t matter on a technical level which name is used as the commonName.

If you were looking at certificates yourself, you may not have realized this and were only looking at the commonName. If you were getting errors from software, I expect a certificate other than the one issued by Let’s Encrypt may have been being used.

If you haven’t deleted in any files in /etc/letsencrypt manually, you can see all certificates Certbot has ever obtained by by running a script like this as root:

#!/bin/sh
if ! [ -x /etc/letsencrypt/archive ]; then
    echo "Please run me with root privileges."
    exit 1
fi
for file in /etc/letsencrypt/archive/*/cert*.pem; do
    echo "$file:"
    openssl x509 -in $file -noout -text | grep DNS
done

This will generate output like this:

/etc/letsencrypt/archive/a.example.org/cert1.pem:
                DNS:a.example.org, DNS:www.example.org
/etc/letsencrypt/archive/example.org/cert1.pem:
                DNS:example.org, DNS:www.example.org

If you happen to find a certificate containing only domain.co and you never only asked for that domain, please take a look in /var/log/letsencrypt and see if you can find the log file corresponding to this issue so I can properly debug it.

I hope this helps! Unfortunately, TLS certificates can be unnecessary confusing.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.