I have a main domain hosted on GoDaddy which has a LetsEncrypt SSL certificate; it’s working perfectly (maindomain.com)
I have created a subdomain which points to port 30000 on another IP (subdomain.maindomain.com)
the redirect is presently http://IP:30000. I can if necessary, make this https if it matters (but not both).
If it matters, the main domain is running Centos 7 and the subdomain machine is running Ubuntu 16.04. The main domain is running certbot 1.5.0
I’d like an ssl certificate that works if:
a) the user types subdomain.maindomain.com; or
b) the user goes there directly http(s)://IP:30000
I’ll happily settle for getting a) to work.
Is this possible and how?
I have full control over both machines, so I can (if only I could figure it out) do anything required for LetsEncrypt to work properly.
When I run the certbot command I’m presently using and add “-d subdomain.maindomain.com” I’m prompted if I want to expand the present certificate (I expand). I get the following error:
Do you want to expand and replace this existing certificate with the new
certificate?
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
It's certainly possible to get a certificate for your subdomain. However, you say it redirects to an IP address? Unfortunately, it's currently not possible to get a certificate with an IP address in the Subject Alternative Names with Let's Encrypt (although I think it's on their todo list..).
So while it's possible to get a certificate which includes your subdomain, your redirect to the IP address will be unsecure. (Unless you get a non-Let's Encrypt certificate for that.)
You need port 80 to get your certificate with http-01 challenge (or 443 for tls-alpn-01, or a dns api for dns-01).
Then, after you obtain your certificate, you can use it on port 3000.
So, on the ubuntu machine you need to get a certificate for subdomain.maindomain.com either via http-01 using port 80, or via dns challenge.
Then you'll configure whatever software listens on port 3000 to use the certificate, and users can connect to https://subdomain.maindomain.com:3000
The most I can offer you for this, is to redirect http://IP:3000 to https://subdomain.maindomain.com:3000. in future you'll be able to get certificates for a raw ip, but not today.
I changed the GoDaddy subdomain to point to the IP and when I put subdomain.maindomain.com in a browser it redirects me to the Apache2 default page on the subdomain’s server (as it should).
The error message when I run certbot (after asking me if I want to expand my current certificate is):
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
and if you put subdomain.maindomain.com:3000 it goes to the other app. there is absolutely no need to redirect to SOME_IP:3000 when the subdomain points to that SOME_IP and you can use subdomain.maindomain.com:3000
Perhaps I’m being confusing. The error message above "Invalid host in redirect target “IP-Subdomain” was the error message from certbot with the IP of the subdomain (which I’m just choosing not to show - I get enough activity with fail2ban as it is). Certbot knew the correct IP, it just didn’t like … something. I was using -d subdomain.maindomain.com in the certbot command, not an IP.
GoDaddy has users set up a subdomain on their DNS page in a special ‘set up subdomain section’.
One gets to choose
a) the subdomain name
b) Forward to - choice of http/https and the IP (and a port if required as in my final case)
c) Forward type - permanent 301 or temp 302
d) settings forward only or forward with masking (I’m not masking)
If I set the subdomain up with the 30K port I get the original error message
If I set the subdomain up to simply point to the IP (no port in step b) I get the last error message to which you responded. the forward does go to the default apache page if I try it in a browser
my certbot command uses the original text I had with -d subdomain.maindomain.com added. I’m not using an IP in the certbot command.
So, I’m confused (based on your responses and you clearly know worlds more about this than I do) about:
what I should have in step b) at least initially and next what I need to tell certbot to add the subdomain to my certs.
It doesn't like that it is an IP address. You need to use a domain name, without redirecting to an IP address.
You should choose neither. You need to go in your DNS panel and add an "A" record with host "subdomain" and address the ipv4 you want (ttl the lowest possible, probably 300) (add an AAAA record if you also want to add an ipv6 address).
I thought once Let's Encrypt accepted redirects to IP addresses? It accepts redirects to entirely different hostnames unrelated to the certificate, so I'm not seeing the difference with an IP address.
@cpu Thanks for your insight. Would you perhaps know who might know more? I don’t want to tag the whole le staff Although this might be a little bit offtopic
I believe we found that it had never worked, because of the way we customize our DNS lookups to record the specific IP address we contacted. I think the Nov 2018 change was just to make that more explicit and give a better error message to the user.
Although this might be a little bit offtopic 