--expand is not adding the new domain

jkaufman · December 28, 2017, 7:32am

My domain is: jeffreyscode.com
I ran this command: certbot --nginx -d jeffreyscode.com -d www.jeffreyscode.com -d api.jeffreyscode.com --expand
It produced this output: Domain: api.jeffreyscode.com Type: unauthorized Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested from [2604:a880:2:d0::9e:b001]:443. Received 2 certificate(s), first certificate had names "jeffreyscode.com, www.jeffreyscode.com" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
My web server is (include version): nginx 1.10.3 & node 8.1.3
The operating system my web server runs on is (include version): Ubuntu 16.04.3
My hosting provider, if applicable, is: Digital Ocean
I can login to a root shell on my machine (yes or no, or I don’t know): Yes.
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

In short, I’ve got some static files being served by nginx - this works perfectly. The site does have the certificates installed and working. However, this nginx instance is also being used as a proxy server to a node.js application. It listens on api.jeffreyscode.com, and this is not working. I can’t seem to get the certificate to issue with the new domain. Is this something I would need to fix in the node.js app? Is it something in nginx? Certbot? Any help that anyone can provide would be much appreciated. Thanks.

mnordhoff · December 28, 2017, 4:58pm

“certbot --nginx” doesn’t support IPv6 yet.

It’s currently scheduled to be fixed in the next release, I believe.

For now, you can use “certbot certonly --webroot” or do awful hacks to the Nginx config files to make it sort of work.

jkaufman · December 28, 2017, 9:06pm

Just curious, what is the difference between using the nginx plugin and using the --webroot flag? Will that have any major impact on anything, or should it still protect the site in all the needed areas?

mnordhoff · December 28, 2017, 9:37pm

The Nginx plugin automatically configures Nginx.

With the webroot plugin, you’d have to configure the certificate and so forth in Nginx yourself. (Only once, though.)

You’d also want to pass --deploy-hook "service nginx reload" or so forth to Certbot.

jkaufman · December 28, 2017, 10:39pm

So for Nginx, what steps would I need to take to configure TLS/SSL? As I currently have the static files secured under the certificate, would anything need to change in regards to that server? Would I just need to edit the proxy server?

system · January 27, 2018, 10:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.