hi people who are smarter then me
My domain is cherrysofa.com the subdomain im trying to add is sofa.cherrysofa.com
I ran the command
sudo certbot -d sofa.cherrysofa.com --expand
It produced this output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for sofa.cherrysofa.com
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Detail: [public ip address redacted] : Fetching http://sofa.cherrysofa.com/.well-known/acme-challenge/nlmY4DRdu60PvE1avMt_zGA2KdbrpX44TOCRVhLzdlg: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is nginx version: nginx/1.22.1
The operating system my web server runs on is Arch linux Kernel: 6.0.12-arch1-1
I can login to a root shell on my machine
I'm Not using a control panel to manage my site
The version of my client is Certbot 2.3.0
the server that the subdomain points to is proxy passed from the nginx server to a jellyfin server
when visiting the subdomain in its current state it gives the error NET::ERR_CERT_COMMON_NAME_INVALID
(this is what im trying to fix)
Port 80 needs to be open for the
nginx authenticator plugin to work, as it uses the
Previously you managed to get a wildcard certificate for
*.cherrysofa.com, which would also cover your subdomain
sofa.cherrysofa.com. Did something change in the mean time?
thanks for the fast reply
nothing had changed, i dont understand why the wildcard worked.
after allowing port 80 it worked adding the subdomain
maybe certbot should have " make sure port 80 points to this server " or somthing similar in the error message.
trying to access sofa.cherrysofa.com it is now saying too many redirects
I'm pretty sure even novice users should be able to deduct the
http:// scheme in combination with "timeout during connect" to port 80. Also, the error message itself is not from Certbot, but from the ACME server.
It seems you didn't
--expand an existing certificate for
cherrysofa.com actually, but issued a cert just for the subdomain: crt.sh | 9166887715
I'm curious by the way: why would you redact the public IP address? Anyone can simply resolve your hostname to that IP address? What's the point in redacting?
i dont really understand how https and this sorta stuff works.
so now that the certificate for cherrysofa.com is expanded.
how do i get rid of the certificate i accidently made for sofa.cherrysofa.com.
and how do i solve the too many redirects issue
for the public ip thing it just felt like the right thing to do im not very smart
You did not expand that existing certificate, but issued a new one just for the
sofa subdomain. At least it doesn't show up on crt.sh | cherrysofa.com and there seems to be no backlog currently on crt.sh, so if you did issue an expanded cert, it should have shown up by now already.
If you're absolutely sure you don't need a certificate any longer, you can delete it. Please see the Certbot documentation about deleting certs here: User Guide — Certbot 2.6.0 documentation
That's a nginx issue and this is not a nginx support Community I'm afraid.
im sorry im really confused.
i think im just gonna remove all the certificates and start again after reading thru the documantation a bit more
thank u for ur time
That's very unnecessary and unnecessarily deleting certificates can lead to hitting rate limits, which could make you end up without any certificate at all and not able to issue a new one.
A good place to start is to check what you currently have in Certbot by running:
sudo certbot certificates
well it did say
Found the following certs:
Certificate Name: cherrysofa.com
Serial Number: 4f34cc214c0c9b6336b6e68e1dc56567a49
Key Type: ECDSA
Expiry Date: 2023-06-09 12:49:57+00:00 (VALID: 53 days)
Certificate Path: /etc/letsencrypt/live/cherrysofa.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cherrysofa.com/privkey.pem
Certificate Name: sofa.cherrysofa.com
Serial Number: 4fc157b3b3cf6c8e39efc309a75dcb96ed1
Key Type: ECDSA
Expiry Date: 2023-07-15 15:38:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/sofa.cherrysofa.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sofa.cherrysofa.com/privkey.pem
but i removed them before reading your reply so im back at square one
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.