Expanding cert to include a subdomain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tele-mtron.com

I ran this command:
sudo certbot certonly -d tele-metron.com,wip.tele-metron.com --expand

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wip.tele-metron.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. wip.tele-metron.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://wip.tele-metron.com/.well-known/acme-challenge/_Gzmd9fkoKIR1V8qTcT9MmeTf2VPPZU_1FTd2cWy7ek: Connection refused

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: wip.tele-metron.com
    Type: connection
    Detail: Fetching
    http://wip.tele-metron.com/.well-known/acme-challenge/_Gzmd9fkoKIR1V8qTcT9MmeTf2VPPZU_1FTd2cWy7ek:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

It produced this output:

My web server is (include version): I am running a webserver written in 'go'

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

My hosting provider, if applicable, is:
Self hosted on Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
using Linode DNS and manager

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

The tele-metron.com is at 104.237.143.72 while the wip.tele-metron is at 45.79.47.116. I may be mistaken, but, I was depending on certbot spinning up the required webserver @http and thinking perhaps that the @http server may have to reside the 45.79.47.116 address and I am using certbot on 104.237.143.72.
Any guidance is appreciated.

That would require magic. Or rather complicated tech setup. Such a thing doesn't happen on its own.

2 Likes

If they are at two different IPs, then get two different certs.
Why are you trying to combine the name onto one cert?

1 Like

While getting a certificate on a separate computer is not usually the most fruitful path, if you know that you have a reason to want to do it, you can search this forum for "remote webroot" to find people's suggestions for how to do it (more easily with acme.sh than with Certbot, though possible with Certbot through scripting, too). I agree with the other commenters that it's less likely to be an ideal solution because it's normally much easier to get certificates directly on the individual servers that are hosting each domain name.

3 Likes

Thank you very much for your support of an old neophyte. I had no idea I could get a cert for a subdomain.
I have ended up with the following configuration which is working.

  • tele-metron.com zone record now includes and A record wip @ ipv4 address and wip @ ipv6 address
  • certificate for tele-metron installed on 104.237.143.72 using autorenew and deploy script to restart the program ( has worked for a while now )
  • certificate created for wip.tele-metron.com with certbot and auto renew setup with script to restart the program (renewal time not encountered yet)

If you think this config presents any problems please let me know.
Thanks again your assistance; it was greatly appreciated.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.