Creating a certificate for subdomains

My domain is: gldn.page
There are 9 others with certificates on the same server. IP: 5.101.140.50

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-10-14T16:24:43

The operating system my web server runs on is (include version):
Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)

My hosting provider, if applicable, is:
Dedicated Server on UKServers

I can login to a root shell on my machine (yes or no, or I don't know):
Yes, through SSH

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of c or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Thanks to your help, I now have a clean set of certificates :slight_smile:

root@Ubuntu20:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: bot10x.com
Serial Number: 41e23f72c2017ba454e4196bdfe9fd70bd3
Key Type: RSA
Domains: bot10x.com www.bot10x.com
Expiry Date: 2022-02-19 08:57:24+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/bot10x.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/bot10x.com/privkey.pem
Certificate Name: chitchatmedia.net
Serial Number: 3f00e267c3bb9695dc2decab08ce0c83975
Key Type: RSA
Domains: chitchatmedia.net www.chitchatmedia.net
Expiry Date: 2022-02-19 08:59:18+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/chitchatmedia.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/chitchatmedia.net/privkey.pem
Certificate Name: cybxpert.com
Serial Number: 37a1964c14fe864f5538063653f26d5d4e1
Key Type: RSA
Domains: cybxpert.com www.cybxpert.com
Expiry Date: 2022-02-19 08:59:47+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/cybxpert.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cybxpert.com/privkey.pem
Certificate Name: expressresponse.net
Serial Number: 318f536a25f7b449e41d9d968490fd01295
Key Type: RSA
Domains: www.expressresponse.net expressresponse.net
Expiry Date: 2022-02-19 09:03:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/expressresponse.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/expressresponse.net/privkey.pem
Certificate Name: gldn.page
Serial Number: 4d7937c5b11872eef45b3e2665e2c701c54
Key Type: RSA
Domains: gldn.page www.gldn.page
Expiry Date: 2022-02-13 07:26:06+00:00 (VALID: 83 days)
Certificate Path: /etc/letsencrypt/live/gldn.page/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gldn.page/privkey.pem
Certificate Name: igw.news
Serial Number: 35431858ec30492a14aa93fce8100d6e512
Key Type: RSA
Domains: igw.news www.igw.news
Expiry Date: 2022-02-13 12:25:37+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/igw.news/fullchain.pem
Private Key Path: /etc/letsencrypt/live/igw.news/privkey.pem
Certificate Name: pdg.reviews
Serial Number: 45cb71f77d3e14e5a19b586635f8ba847cb
Key Type: RSA
Domains: pdg.reviews www.pdg.reviews
Expiry Date: 2022-02-19 09:06:09+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/pdg.reviews/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pdg.reviews/privkey.pem
Certificate Name: smartbiz.pro
Serial Number: 35485b1a4ef2499b66046a128035104a385
Key Type: RSA
Domains: smartbiz.pro www.smartbiz.pro
Expiry Date: 2022-02-19 09:07:12+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/smartbiz.pro/fullchain.pem
Private Key Path: /etc/letsencrypt/live/smartbiz.pro/privkey.pem
Certificate Name: ukncsa.com
Serial Number: 35b5312d395f5a874c628b4c525e9990352
Key Type: RSA
Domains: ukncsa.com www.ukncsa.com
Expiry Date: 2022-02-19 09:08:17+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ukncsa.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ukncsa.com/privkey.pem
Certificate Name: www.reviewed.page
Serial Number: 3824bf32f419833336ccf1c35d8cdf1483a
Key Type: RSA
Domains: www.reviewed.page reviewed.page
Expiry Date: 2022-02-13 17:52:08+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/www.reviewed.page/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.reviewed.page/privkey.pem
Certificate Name: yel.page
Serial Number: 319d1b9128b79a2ff0f4ef0913de58ef8ff
Key Type: RSA
Domains: yel.page www.yel.page
Expiry Date: 2022-02-19 09:08:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/yel.page/fullchain.pem
Private Key Path: /etc/letsencrypt/live/yel.page/privkey.pem


I have set up the DNS for wildcard and got Wordpress multisite running on the domain configured
for sub-domains

I searched for how to have a certificate for sub-domains and this is suggested:

certbot-auto -d *.example.com -d example.com --manual --preferred-challenges dns certonly

BUT it says cert-only
I would like to have it applied to my apache server, I usually use certbot --apache to set up the certificate.

Which is the best way to do it?

Thanks

1 Like
  • You can combine authenticator and installer plugins as explained in the certbot documentation here: User Guide — Certbot 1.21.0 documentation
  • Please don't use the certbot-auto wrapper script any longer, it has been deprecated for ages now. Please use the official certbot site for up to date installation instructions here: Certbot Instructions | Certbot
  • Please automate the DNS challenge, as the --manual plugin without any --manual-auth-hook has no way of automated renewal.
3 Likes

Thanks,
What is confusing is that I don't see any documentation for creating a certificate
for all sub-domains (maybe I just missed it? )
Should I just run
certbot --apache -w /var/www/gldn.page -d *.gldn.page

Is that correct?
or do I need to use a DNS or WebRoot authenticator.
( I don't mind either, so long as I know what I need to do )

Maybe this is better?

certbot run -a webroot -i apache -w /var/www/gldn.page -d *.gldn.page

Thanks again.

2 Likes

A wildcard certificate requires the dns-01 challenge. The webroot and apache plugins can only accomodate the http-01 challenge.

See also Challenge Types - Let's Encrypt and User Guide — Certbot 1.21.0 documentation

3 Likes

Seem to be going round and round in circles !!

At the Manual it says "

If you’d like to obtain a wildcard certificate from Let’s Encrypt or run `certbot` on a machine other than your target webserver, you can use one of Certbot’s DNS plugins.

These plugins are not included in a default Certbot installation and must be installed separately. They are available in many OS package managers, as Docker images, and as snaps. Visit [https://certbot.eff.org](https://certbot.eff.org/) to learn the best way to use the DNS plugins on your system.

Well that link just takes me to the main website to download the Certbot -- which I already have and I can not find anything about DNS plugin and there is no search box.

So, I googled it and on this page ...
https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-dns-validation-with-acme-dns-certbot-on-ubuntu-18-04

It says that I need to install acme-dns-certbot from github

## Step 2 — Installing acme-dns-certbot

Now that the base Certbot program has been installed, you can download and install acme-dns-certbot, which will allow Certbot to operate in DNS validation mode.

Begin by downloading a copy of the script:

wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py

This appears to be a python script.

Is this the correct way to do it ?
(doesn't look right)

I must be missing something , but the manual seems to just explain how DNS authentication works but doesn't tell me what to enter at the command line or where to get the necessary plugin from.

1 Like

You can find instructions on how to use the DNS plugins on the certbot page when you click on the "wildcard" tab at the top of the instructions page. So first select your webserver and OS and when you arrive at the instructions page, click on the "wildcard" tab.

Also, if you don't actually require a wildcard certificate (i.e.: you have a known set of non-dynamic subdomains), things would be much easier, as Let's Encrypt certificates can contain up to 100 separate hostnames, so 99 subdomains if you include the apex domain too.

3 Likes

@Dave.Sintra I second @Osiris suggestion about considering just using a cert with multiple names. You have that working well for your other domains so would be easier to maintain that same pattern. Sure wildcards can be helpful but with extra complexity.

4 Likes

OK,
I see the Wildcard tab now, thanks.

But, I don't think ANY of these plugins are relevant for me as I am not hosted on
Cloudflare, Digital Ocean, Google Cloud etc etc.

I registered gldn.page through Google Domains and I have access to the the DNS
like this ...

It is pointing to my dedicated server

I can add a TXT record manually.
( I have done this before for DKIM and SPS TXT records)

Is there a way to proceed with a generic plugin or no plugin so that
it can tell me what details need to go into TXT record ?

1 Like

That is indeed a possibility. I don't have experience with Google Domains nor with Google Cloud though. A different thread (Google Domains DNS API Support? (not Google Cloud DNS)) indeed confirms that Google Domains doesn't have an API.

A few options:

  • manually add and remove the TXT record every 60-90 days with aid of the --manual plugin (not recommended, cannot be automated!);
  • use acme-dns in combination with the acme-dns-auth.py script you already found;
  • switch DNS provider to a provider which does support an API and has a certbot DNS plugin available, such as Cloudflare. As far as I know, Cloudflares DNS service (without the registration part) is free of charge;
  • don't use a wildcard certificate if that gives you the possibility to use a non-DNS challenge.
4 Likes

OK, thanks,

Well I could set up an Expansion to the certificate each time I create a new
sub-domain but that will be at least a couple of times a day.
Will I run into limits doing that?
On the positive side it will get updated automatically.

Or, I can look into Cloudflare.
I have used CF before for the certificates but they only certified from their server out to the internet,
not from my server. I will look to see if I can run it through CF

regenerated

But this may be better than having to do all of them
I think this is an area where LC can

2 Likes

Probably the 50 certs per domain per week rate limit, yes. Sounds like a wildcard certificate is your best option indeed.

Using Cloudflare for their DNS service is separate from their hosting/webservers/certificate stuff.

3 Likes

Hello.

Some good news !
I managed to get the Token from Cloudflare and used it to create a new certificate.

So I had 2 certificates:

Certificate Name: gldn.page-0001
    Serial Number: 3bff6d7a4901bd17676e627791ac6c2f9f5
    Key Type: RSA
    Domains: gldn.page *.gldn.page
    Expiry Date: 2022-02-19 18:18:14+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/gldn.page-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gldn.page-0001/privkey.pem

  Certificate Name: gldn.page
    Serial Number: 4d7937c5b11872eef45b3e2665e2c701c54
    Key Type: RSA
    Domains: gldn.page www.gldn.page
    Expiry Date: 2022-02-13 07:26:06+00:00 (VALID: 83 days)
    Certificate Path: /etc/letsencrypt/live/gldn.page/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gldn.page/privkey.pem

So I deleted the earlier one called gldn.page

The problem I now have is that in my sites-available directory
there is no update to the gldn.page-le-ssl.conf file.

The command I used to create the certificate was

certbot certonly --dns-cloudflare --dns-cloudflare-credentials CF.ini -d gldn.page -d *.gldn.page

Because it was certonly, I guess it did not update the apache server.

So I still have the old conf files on the sites-available directory

EG

cat /etc/apache2/sites-available/gldn.page-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin admin@gldn.page
    ServerName gldn.page
    ServerAlias www.gldn.page
    DocumentRoot /var/www/gldn.page

    #This enables .htaccess file  for WordPress Permalink to work.
        <Directory "/var/www/gldn.page">
             AllowOverride All
        </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/gldn.page/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gldn.page/privkey.pem
</VirtualHost>
</IfModule>

How should I get this updated?

Should I just manually edit and update the file ?

Or is there a command I should run to create new .conf files ?

Thanks

2 Likes

You could try yo run certbot install --apache --cert-name gldn.page-0001 and see if it changes the options in gldn.page-le-ssl.conf.

If that works, please check the contents of /etc/letsencrypt/renewal/gldn.page-0001.conf for the presence of of a line containing installer = apache. I'm not sure if the certbot install command actually adds that to the renewal configuration file..

4 Likes

If that fails, just edit your VHOST config files and add the missing "-0001" in the path.

2 Likes

I tried running that but the --apache plugin first runs configtest which fails because of the very
thing I am trying to correct !!

So I am trying the manual edit.

1 Like

FANTASTIC !!!

All working now.

Thanks

3 Likes

Note that if the apache plugin isn't selected as installer plugin in the renewal configuration file, you'll need to either manually reload Apache after each renewal or add the command to reload Apache as a deploy hook.

3 Likes

Thanks for the heads-up

In /etc/letsencrypt/renewal/
My igw.page.conf has

authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

But my gldn.page-0001.conf has

authenticator = dns-cloudflare
dns_cloudflare_credentials = hgfdg.ini
server = https://acme-v02.api.letsencrypt.org/directory

So, should I just edit the file and add the following line?

installer = apache

Well - I did it and it now looks like

authenticator = dns-cloudflare
installer = apache
dns_cloudflare_credentials = hgfdg.ini
server = https://acme-v02.api.letsencrypt.org/directory

Hope that is OK?

2 Likes

I think so. Next renewal the apache installer should reload your Apache automatically after the renewal.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.