Confused after installing WildCard certificate on two domains

lslamp · November 3, 2024, 7:27pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
*'.lsl-technology.com
*.collegiansfc.org

I ran this command:
certbot certonly --manual --preferred-challenges dns

It produced this output:
Did exactly the same for both domains and have exactly the same issue with both domains. I did each domain independently and not at the same time.
I was prompted to insert the wildcard domain that I wanted a certificate for. I inserted the domains as shown above.
I was prompted to create an _acme TXT record for each domain. and then proceeded to complete successfully.
The following entries were added to each nginx site config file.
root@dunnsland:~# grep ssl_certificate /etc/nginx/sites-enabled/collegiansfc
ssl_certificate /etc/letsencrypt/live/collegiansfc.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/collegiansfc.org/privkey.pem; # managed by Certbot

root@dunnsland:~# grep ssl_certificate /etc/nginx/sites-enabled/lsltech
ssl_certificate /etc/letsencrypt/live/lsl-technology.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/lsl-technology.com/privkey.pem; # managed by Certbot

The issue is when I open a browser to both of the domains I am told that the site is not secure.
I have carried out an SSL Check on both domains and see the following error, but have no clue what is wrong.

running certbot certificates I see the following.
Found the following certs:
Certificate Name: collegiansfc.org
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: ECDSA
Domains: *.collegiansfc.org
Expiry Date: 2025-01-31 21:18:25+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/collegiansfc.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/collegiansfc.org/privkey.pem

Certificate Name: lsl-technology.com
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: ECDSA
Domains: *.lsl-technology.com
Expiry Date: 2025-01-31 08:45:16+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/lsl-technology.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/lsl-technology.com/privkey.pem

My web server is (include version):
nginx version: nginx/1.24.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 24.04.1 LTS
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

I hope someone has some advice for me.
Thanks
Lawrence

MikeMcQ · November 3, 2024, 7:36pm

Yes, the problem is you ONLY requested the wildcard name for the cert.

So, cert for *.lsl-technology.com is for names like

www.lsl-technology.com
mail.lsl-technology.com
myfavorite.lsl-technology.com

but NOT

lsl-technology.com

The asterisk in the name matches any name at that level only.

When you request the cert you need to include both the apex name itself and the wildcard if you need to cover both kinds.

griffin · November 3, 2024, 8:48pm

Welcome to the Let's Encrypt Community!

A certificate is not required to cover the apex or "base" domain name in order to cover a wildcard of that apex. Usually it is the case, but no it's not required.

Please do not advertise third-party, web-based certificate issuance services. They usually violate the Let's Encrypt subscriber agreement.

lslamp · November 3, 2024, 8:49pm

Thanks for your reply, but so that I am not misunderstanding what you are saying.
Should I add *.lsl-technology.com, www.lsl-technology.com, lsl-technology.com to cover the wildcard and the alternative names that are needed.

Is this correct?
Thanks
Lawrence

griffin · November 3, 2024, 8:50pm

You cannot have both www (or any specific subdomain) and a wildcard at the same level.

lslamp · November 3, 2024, 8:52pm

Can update the current certificate or do I have to re-create a new certificate?

Lawrence

lslamp · November 3, 2024, 8:53pm

OH, have I done that. I have no clue .... Please clarify.

Thanks
Lawrence

griffin · November 3, 2024, 8:54pm

Not you. You're fine.

lslamp · November 3, 2024, 8:54pm

Thanks again for your great help and support.

griffin · November 3, 2024, 8:55pm

You can never update/modify a certificate, only request a new one. Even a "renewal" is just a new certificate that happens to cover the same SANs as an existing certificate.

I'm referring to updating an actual certificate, not a "certificate lineage" à la certbot, which can be updated.

griffin · November 3, 2024, 8:55pm

Happy to help.

lslamp · November 3, 2024, 9:00pm

Thanks

griffin · November 3, 2024, 9:01pm

Please see the line I added about lineage.

system · December 3, 2024, 9:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ssl wildcard installation is successful but its not working as expected Help	16	4181	October 29, 2018
Domain and wildcard registration at the same time Help	4	2499	July 13, 2018
Certbot fails for to install over two domains in nginx Help	12	3031	August 14, 2018
Wild card cert first ssl Help	12	874	May 28, 2020
Figuring out manual cert install Help	2	149	July 29, 2024

Confused after installing WildCard certificate on two domains

Related topics