Configuring SSL for domain and subdomain

rezariazi · October 5, 2022, 6:05pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tangohub.app

I ran this command: $sudo certbot -v -i nginx certonly --dns-route53 -d *.tangohub.app

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-route53, Installer nginx
Requesting a certificate for *.tangohub.app
Performing the following challenges:
dns-01 challenge for tangohub.app
Waiting for verification...
Cleaning up challenges
Reloading nginx server after certificate issuance

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/tangohub.app-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/tangohub.app-0001/privkey.pem
This certificate expires on 2023-01-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): reza@www:~$ certbot --version
certbot 1.31.0

Hi there, The issue is I am not sure my configuration is correct. Because I am using www.tangohub.app and staging.tangohub.app, trying to use a wildcard, I use *.tangohub.app in the configuration. Also, I don't know if the SSL certificate is written on the Nginx for each website. Would you please help me with this issue?

Osiris · October 5, 2022, 6:47pm

Could you please elaborate/explain what your issue is? In your output I'm seeing that your certificate has been created without any issue. In fact, it's probably the SECOND certificate issued already, looking at the -0001 suffix..

MikeMcQ · October 5, 2022, 7:06pm

I think you should omit certonly from that command. That means to only get a cert and not install it. Yet, you've also said to use the nginx installer with -i switch. I think the nginx plug-in installer will not do anything when certonly is specified.

But, I don't have a system that I can test that exact combo with.

Osiris · October 5, 2022, 7:10pm

Correct. With the certonly subcommand, the installer will only be used to present the user a list of possible hostnames to get a certificate for and (since a certain version) reload the webserver.

As far as I know, this specific aspect (what an installer does do when using certbot) is not documented in the Certbot user guide, although the Getting certificates (and choosing plugins) section does mention that using certonly means Certbot will NOT install the certificate into the webserver.

rg305 · October 6, 2022, 1:49am

Please show the output of:
certbot certificates

rezariazi · October 6, 2022, 2:37am

Hi there, The issue is I am not sure my configuration is correct. Because I am using www.tangohub.app and staging.tangohub.app, trying to use a wildcard, I use *.tangohub.app in the configuration. Also, I don't know if the SSL certificate is written on the Nginx for each website. Would you please help me with this issue?

rezariazi · October 6, 2022, 2:37am

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: tangohub.app-0001
Serial Number: 3e553d460ea99f61ed91628096b9156fbac
Key Type: RSA
Domains: *.tangohub.app
Expiry Date: 2023-01-03 16:42:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/tangohub.app-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tangohub.app-0001/privkey.pem
Certificate Name: tangohub.app
Serial Number: 47a96e049db30218918475d30234a17cb36
Key Type: RSA
Domains: tangohub.app www.tangohub.app
Expiry Date: 2022-12-09 17:29:05+00:00 (VALID: 64 days)
Certificate Path: /etc/letsencrypt/live/tangohub.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tangohub.app/privkey.pem

rezariazi · October 6, 2022, 2:39am

Tangohub.app and www.tangohub.app were created before. I wanted to create a wildcard certificate so that I can have dev.tangohub.app and staging.tangohub.app on the same virtual server.

rg305 · October 6, 2022, 2:45am

It probably didn't install the certificate for you.
Nor did it create the corresponding HTTPS vhosts.
We can check the nginx config with the output of:
nginx -T

rezariazi · October 6, 2022, 3:37am

nginx -T.txt (15.9 KB)

rg305 · October 6, 2022, 5:18am

As suspected, the only cert in use covers the names: www.tangohub.app & tangohub.app

As an example, to create the staging HTTPS vhost you could edit the file:
/etc/nginx/sites-enabled/staging.tangohub.app
And make it look like the file:
/etc/nginx/sites-enabled/www.tangohub.app
[which has two vhosts (server blocks) in it]

You would only need to change the HTTPS vhost server names, root, and cert files to match:

        server_name staging.tangohub.app;
        root /var/www/staging.tangohub.app/html;
        ssl_certificate /etc/letsencrypt/live/tangohub.app-0001/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/tangohub.app-0001/privkey.pem;

then restart/reload nginx

rezariazi · October 6, 2022, 11:38am

Thank you, RG305, for your reply.
I have created the SSL certificate for www.tangohub.app and tangohub.app, but for the future, how can I create a wildcard with Certbot? This way, it will cover all subdomains.
This way, I can point all nginx config certifications to one directory.
Thank you.

MikeMcQ · October 6, 2022, 2:52pm

It looks like you created one with the command in your first post. Above is the output of certbot certificates display and the "Domains" shows a wildcard. But, your nginx was (and still is) configured to use the non-wildcard you got earlier.

rg305 showed the correct nginx lines to use that wildcard. Have you done made those changes?

Also, wildcard certs only cover subdomains - not the apex domain name. Usually with certbot you would specify -d tangohub.app -d *.tangohub.app so both are covered.

rezariazi · October 6, 2022, 3:17pm

So -d tangohub.app is a wildcard?
In other words, the domain apex, in this case, acts as a wildcard, and I can use the SSL certification for all subdomains.
Please correct me if I'm wrong.

MikeMcQ · October 6, 2022, 3:20pm

No, -d *.tangohub.app is the wildcard. But it only covers subdomains like:

a.tangohub.app
www.tangohub.app

and so on. It would not work for requests just to the apex like

https://tangohub.app

Generally you specify both on the certbot request as many people like using their apex too

rezariazi · October 6, 2022, 4:17pm

Thank you for the clarification.

rezariazi · October 6, 2022, 6:08pm

I made the suggested changes based on RG305 recommendations and the nginx service is down.
Please see the attached staging configurations and the error.
Errors.txt (11.3 KB)
staging.tangohub.txt (1.6 KB)

rg305 · October 6, 2022, 6:24pm

2022/10/06 13:51:43 [emerg] 322129#322129: duplicate listen options for [::]:443 in /etc/nginx/sites-enabled/www.tangohub.app:31

We should look at that file.

rezariazi · October 6, 2022, 7:05pm

Line 31 is: listen [::]:443 ssl ipv6only=on; # managed by Certbot
www.tangohub.txt (1.6 KB)

I have not changed the www.tangohub.app configuration. Wondering why now there is an error.

rg305 · October 6, 2022, 9:58pm

I think the problem might be related to using "ipv6only=on".