Certificate on subdomain on specific port on different IP

I have a main domain hosted on GoDaddy which has a LetsEncrypt SSL certificate; it’s working perfectly (maindomain.com)

I have created a subdomain which points to port 30000 on another IP (subdomain.maindomain.com)
the redirect is presently http://IP:30000. I can if necessary, make this https if it matters (but not both).

If it matters, the main domain is running Centos 7 and the subdomain machine is running Ubuntu 16.04. The main domain is running certbot 1.5.0

I’d like an ssl certificate that works if:
a) the user types subdomain.maindomain.com; or
b) the user goes there directly http(s)://IP:30000

I’ll happily settle for getting a) to work.
Is this possible and how?

I have full control over both machines, so I can (if only I could figure it out) do anything required for LetsEncrypt to work properly.

When I run the certbot command I’m presently using and add “-d subdomain.maindomain.com” I’m prompted if I want to expand the present certificate (I expand). I get the following error:

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/©ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for subdomain.maindomain.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Challenge failed for domain subdomain.maindomain.com
http-01 challenge for subdomain.maindomain.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: subdomain.maindomain.com
    Type: connection
    Detail: Fetching
    http://subdomain.maindomain.com/.well-known/acme-challenge/uw2xTPbJj4SDuU-hKsKxzIzQhDR8ksKI_C6zYQ8PsRk:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Thanks

Andrew

1 Like

It’s certainly possible to get a certificate for your subdomain. However, you say it redirects to an IP address? Unfortunately, it’s currently not possible to get a certificate with an IP address in the Subject Alternative Names with Let’s Encrypt (although I think it’s on their todo list…).

So while it’s possible to get a certificate which includes your subdomain, your redirect to the IP address will be unsecure. (Unless you get a non-Let’s Encrypt certificate for that.)

1 Like

You need port 80 to get your certificate with http-01 challenge (or 443 for tls-alpn-01, or a dns api for dns-01).

Then, after you obtain your certificate, you can use it on port 3000.

So, on the ubuntu machine you need to get a certificate for subdomain.maindomain.com either via http-01 using port 80, or via dns challenge.

Then you’ll configure whatever software listens on port 3000 to use the certificate, and users can connect to https://subdomain.maindomain.com:3000

The most I can offer you for this, is to redirect http://IP:3000 to https://subdomain.maindomain.com:3000. in future you’ll be able to get certificates for a raw ip, but not today.

1 Like

So I’m a bit lost.

I changed the GoDaddy subdomain to point to the IP and when I put subdomain.maindomain.com in a browser it redirects me to the Apache2 default page on the subdomain’s server (as it should).

The error message when I run certbot (after asking me if I want to expand my current certificate is):

Waiting for verification…
Challenge failed for domain subdomain.maindomain.com
http-01 challenge for subdomain.maindomain.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: subdomain.maindomain.com
    Type: connection
    Detail: Fetching
    http://IP-subdomain/.well-known/acme-challenge/zYIz51SyQdCAJXuCZvs7kH_fY-1CLBPtukubRmmJdlk:
    Invalid host in redirect target “IP-Subdomain”. Only domain
    names are supported, not IP addresses

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Help?

Do not redirect to IP addresses. :wink:

You have a domain, use the domain.

and if you put subdomain.maindomain.com:3000 it goes to the other app. there is absolutely no need to redirect to SOME_IP:3000 when the subdomain points to that SOME_IP and you can use subdomain.maindomain.com:3000

1 Like

Perhaps I’m being confusing. The error message above "Invalid host in redirect target “IP-Subdomain” was the error message from certbot with the IP of the subdomain (which I’m just choosing not to show - I get enough activity with fail2ban as it is). Certbot knew the correct IP, it just didn’t like … something. I was using -d subdomain.maindomain.com in the certbot command, not an IP.

GoDaddy has users set up a subdomain on their DNS page in a special ‘set up subdomain section’.

One gets to choose
a) the subdomain name
b) Forward to - choice of http/https and the IP (and a port if required as in my final case)
c) Forward type - permanent 301 or temp 302
d) settings forward only or forward with masking (I’m not masking)

If I set the subdomain up with the 30K port I get the original error message
If I set the subdomain up to simply point to the IP (no port in step b) I get the last error message to which you responded. the forward does go to the default apache page if I try it in a browser

my certbot command uses the original text I had with -d subdomain.maindomain.com added. I’m not using an IP in the certbot command.

So, I’m confused (based on your responses and you clearly know worlds more about this than I do) about:
what I should have in step b) at least initially and next what I need to tell certbot to add the subdomain to my certs.

Thanks.

Andrew

1 Like

It doesn’t like that it is an IP address. You need to use a domain name, without redirecting to an IP address.

You should choose neither. You need to go in your DNS panel and add an “A” record with host “subdomain” and address the ipv4 you want (ttl the lowest possible, probably 300) (add an AAAA record if you also want to add an ipv6 address).

1 Like

I thought once Let’s Encrypt accepted redirects to IP addresses? It accepts redirects to entirely different hostnames unrelated to the certificate, so I’m not seeing the difference with an IP address.

Before 19 november 2018 there wasn’t such a check for IP addresses as far as I can tell: https://github.com/letsencrypt/boulder/blob/c92bf8c051f51cb9a07d9176fc5dd2c90d36fb48/va/va.go#L422-L486 I think it was added in https://github.com/letsencrypt/boulder/pull/3939 but perhaps there was a check before somewhere else but the function I highlighted in va.go from before the PR. Perhaps @cpu – as the author of that PR – could shed some light on this?

3 Likes

I’m afraid I don’t remember any additional context about blocking redirects to bare IP addresses. I think it was likely just a judgement call.

2 Likes

@cpu Thanks for your insight. Would you perhaps know who might know more? I don’t want to tag the whole le staff :stuck_out_tongue: Although this might be a little bit offtopic :roll_eyes:

3 Likes

@jsha Do you happen to remember more about why we decided to block bare IP address redirects back in Nov 2018?

2 Likes

I believe we found that it had never worked, because of the way we customize our DNS lookups to record the specific IP address we contacted. I think the Nov 2018 change was just to make that more explicit and give a better error message to the user.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.