either your dns subzone for store is not properly delegated to cloudflare or there is some other issue
but either way its nowt to do with yer other cert stuff
which seems suspect, the operator of that server would need to get/add the cert for images.yourdomain to his list
(are these 3rd parties even aware your pointing your names at their servers?)
Hey,
I was having this same problem a minute ago but just troubleshot it, the problem seems to be youāre including multiple domains on the same certificate (not sure if this is allowed but if so youāre #doingitwrong ) anyways the solution (which may vary as i run debian/apache) if using sudo ./letsencrypt-auto --apache (assuming the menu is the same for nginx) is:
1 delete /etc/letsencrypt/renewal/*
2 run sudo ./letsencrypt-auto --apache
3 when the menu comes up with all the available domains to encrypt only select 1 and hit enter (youāll see a message about the renewal item you just deleted, this is good)
4 repeat as necessary for all domains individually
Then when you look in /etc/letsencrypt/renewal you will see multiple instead of just one and the server should serve whats appropriate after that.
Having multiple domains on one certificate is perfectly fine and allows you to serve clients without SNI support. Whether or not it makes sense to have one "big" certificate or multiple small ones depends on many things - for example, how often are new domains added? How many domains and subdomains are you using? etc.
Hello pfg,
As I said above I donāt know weather its allowed or not but if it is letencrypt is doing it wrong, this is the issue when they are all lumped together in one its only serving one not all of them. That is specifically why my solution works. So in this particular case it does not make sense to have multiple domains in one certificate because all thatās getting served is a certificate for one domain.
Not sure I follow. A certificate can have any number of subjectAltNames (SAN), and there are no special rules that prohibit different domains from appearing on the same certificate. Thereās nothing inherently better or worse about setting things up like that, it all depends on the circumstances.
Let me put it another way. Lumped togather on the same certificate with letsencrypt you can get the aforementioned error, seperatly on multiple certificates you dont.
If you get a certificate mismatch error because you've put more than one domain name on your Let's Encrypt certificate, the error is in your web server configuration, not with the certificate. It is entirely possible, practical, and appropriate to combine multiple hostnames (including multiple domains) into a single certificate, and to do so without client errors--I'm doing it, as I'm sure are many others.