Certificate and nginx

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
akvarij.eu
I ran this command:

It produced this output:

My web server is (include version) centos 8:

The operating system my web server runs on is (include version): nginx

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0
my questio is.
When I make certificate for my website for example akvarij.eu
and it has aliases www.akvarij.eu and mail.akvarij.eu
are those the same certificates or are these differend certificates and all of them contain a name for subdomain. for example certificate for mail.akvarij.eu contain subdomain name mail.akvarij.eu
until akvarij.eu certificate contains name akvarij.eu and those two can not be mixed.
Because now no matter what I try to make it doesn't give me certificate from letsencrypt.
but from iredmail which is self signed

1 Like

If all FQDNs resolve to one IP, you should use certbot to obtain a cert with all the names on it.
Then you can use it within just about any software.
[don't try to get a cert from within iRedMail - just configure it to use the cert obtained by certbot]

Show:
certbot certificates

3 Likes

Found the following certs:
Certificate Name: akvarij.eu
Serial Number: 340361c49e6341ca471d3661b24e54058a4
Key Type: RSA
Domains: mail.akvarij.eu
Expiry Date: 2022-07-27 08:39:46+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/akvarij.eu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/akvarij.eu/privkey.pem
Certificate Name: bla.akvarij.eu
Serial Number: 4321c82de45cfa599bf00a7db3749ac7d06
Key Type: RSA
Domains: bla.akvarij.eu
Expiry Date: 2022-07-27 09:27:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/bla.akvarij.eu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/bla.akvarij.eu/privkey.pem
Certificate Name: mail.akvarij.eu
Serial Number: 340361c49e6341ca471d3661b24e54058a4
Key Type: RSA
Domains: mail.akvarij.eu
Expiry Date: 2022-07-27 08:39:46+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mail.akvarij.eu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.akvarij.eu/privkey.pem
Certificate Name: www.akvarij.eu
Serial Number: 340361c49e6341ca471d3661b24e54058a4
Key Type: RSA
Domains: mail.akvarij.eu
Expiry Date: 2022-07-27 08:39:46+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.akvarij.eu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.akvarij.eu/privkey.pem

1 Like

Would you show the command you used to create the akvarij.eu cert?

Something is very odd. Your list of domains has 3 of the 4 certs with only the mail domain name in it. And, the 3 timestamps for those are identical even though the Certificate Names are different. Did you copy / paste some of that info in pieces?

And, no actually issued cert (crt.sh) even has the mail domain in it

3 Likes

I made a big mistake. I tried to many times to create certificate so yes I copied the one mail.akvarij.eu.
that's why I am asking is it possible to use one certificate for subdomains or that is written in certificate so I need to wait for 1 week to make right certificate again.

1 Like

I still don't understand what you did. But, yes, you can create a single cert with multiple domain names in it. You can specify multiple domain names like this

-d akvarij.eu -d www.akvarij.eu -d ...

You don't have any certs with multiple names yet so it should work but once you have a good cert don't keep making more. Once you have a good cert you need to make sure your server is configured correctly. Again, if you provided your certbot command I could give better advice.

3 Likes

what I did is create certificate and nginx gives me 502 Bad Gateway.
So I delted certificate and create it again until I get this.
certbot --nginx
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: akvarij.eu: see Rate Limits - Let's Encrypt
than I read on forum I can create another subdomain certificaate and use that one for other subdomains.
So I create mail.akvarij.eu and copy that one for akvarij.eu and www.akvarij.eu
and it looks like that doesn't work.
And don't know what I should do now to make it work.

1 Like

Your nginx server is configured wrong. It looks like it has an incorrect proxy configuration. Getting new certs won't fix the 502 failure. I see this:

curl -Ik  https://akvarij.eu

HTTP/2 502
server: nginx
date: Thu, 28 Apr 2022 21:48:05 GMT
content-type: text/html
content-length: 166

You should adjust your server config until the above curl command works. The -k bypasses the cert check for testing purposes only.

Once you fix your nginx server, then obtain a new cert with all the domain names in it. A cert with a different list of names will be allowed.

I am stepping away for a while but someone here may help look at your nginx config. Please show the results of below command. Or, go to an nginx server config forum for help on the 502.

sudo nginx -T
3 Likes

Thank you I appreciate your help.
Problem is because I like to install on the same server a vanilla forum, which doesn't work with apache. I use to do web pages with apache and this is my first time on nginx.
So I first install iRedmail and after that vanilla forum, but Iredmail use proxy and templates and vanilla use conf file for nginx. And I am lost here totally.
Do I need now also to create a template for vanilla forum or I can use conf file like before I install iredmail? Don't knot how to combine those two?
And I like to use letsencrypt certificates for all of it.
I put result for sudo nginx -T in pastebin file because it is too long.
https://privatebin.povej.net/?9d29774ce2fb89af#DNtwG7Q5e3FSNz2yJ4nx65HHHgPXPmTPYnwart4xJuYk

and this is vanilla forum nginx conf file
https://privatebin.povej.net/?2e882a788c0c02fd#H4ZXCywMtPwTYQEdrfaAhs5CotjSZdhqLKvqFS8PUWg9

1 Like

As shown, that copy doesn't do what you expected.
You have the exact same cert being managed via three cert names - with no benefit and only adding confusion to the situation.
I would delete the first and last one.

2 Likes

I have deleted those two certificates but certbot doesn't allow me to create new one.
And next I need to add to that setup a vanilla forum which will be accessible on akvarij.eu and www.akvarij.eu.

certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: akvarij.eu
2: www.akvarij.eu


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for akvarij.eu
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: akvarij.eu: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

If you do not enter a number a cert with both names will be created. Since you have not yet created a cert with both names, it is new and is not affected by rate limit for your other cert.

2 Likes

I still don't see the mail.akvarij.eu domain or that serial number in crt.sh. If that was ever a valid cert it should have showed up by now.

I think you should focus on getting your site running properly with HTTP. Make sure each of your domain names (maybe less mail) is working as you want. Then try to get HTTPS working. You are trying to do too much at once.

Use the nginx website or forums devoted to the packages you are trying to use to help configure it. Like Vanilla Forums

3 Likes

I finnaly can make certificate so I created it now for akvarij.eu and www.akvarij.eu

mail.akvarij.eu works I also renewed this certificate.
All works except my config for akvarij.eu site where I get 502 Bad Gateway
It is hard to make all work with http because iredmail setup all on https.
in log I get error for fast cgi so I assume thats why akvarij.eu doesn't work
*27 connect() to unix:/var/run/php-fpm/www.sock failed (2: No such file or directory) while connecting to upstream, client: 84.52.167.179, server: akvarij.eu, request: "GET /favicon.ico HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm/www.sock:", host: "akvarij.eu", referrer: "https://akvarij.eu/"

1 Like

OK finally I manage to make it work
I changed fast cgi line for vanilla forum into what iredmail has setup and now it works
thank you all for guideline and help. I need to learn alot more of nginx and letsencrypt.
I changed this line first line to second one.
fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_pass 127.0.0.1:9999;

1 Like