Generate letsencrypt ssl for subdomain if the main domain is on another server

Hello,

If someone can help me please with this (I also asked here the question):

Hi @calin24

Generate letsencrypt ssl for subdomain if the main domain is on another server

in general, that's not a problem. But that's not your question, your title is incomplete.

In your case, it's a problem. Because you have different providers, one with plesk.

It's always terrible to mix control panels like Plesk with standalone - ACME-clients like Certbot.

Especially if you have different providers, you A may be shared hosting.

@JuergenAuer so you are saying it will not work if I generate a wildcard ssl on VPS_B and put it also on VPS_A (import in plesk)

But Why the provider A ask me to generate a wildcard on this VPS_B ?

But If I generate in plesk a letsencrypt for mail.my-domain.com will be ok ? Or I have to by a new ssl for this subdomain mail.my-domain.com

The laravel app that is on VPS_B when sending emails - was giving me errors like:

stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

because the mail.my-domain.com ssl was expired.

Provider A gives me another url for the emails ..... but again something is not ok

stream_socket_enable_crypto(): Peer certificate CN=`dns10.....' did not match expected CN=`mail.my-domain.com'

And tha's why he said to generate a wildcard ssl on VPS_B and give him the ssl to install also on VPS_A

Why do you think that?

It will work, but it requires manual actions. Every 60 - 85 days, that's not how Letsencrypt is intended.

And if the ip of your subdomain points to hoster A, hoster A should be able to create a certificate with that subdomain name, without a wildcard.

Please read required basics:

@JuergenAuer thank you.

I will insist the provider A to generate ssl on mail.my-domain.com .... because anyway it administrated by them.

I only made changes in DNS zone like I said..... to point the web app to another VPS_B (and here I installed letsencrypt for -d mydomain.com -d www.my-domain.com)

I generated after all an ssl for the mail.my-domain.com also.

I am not sure If I proceeded correct:

  1. list certificates on the VPS_B

     sudo certbot certificates
    
     Found the following certs:
     Certificate Name: my-domain.com
     Domains: my-domain.com www.my-domain.com
     Expiry Date: 2021-06-20 13:16:48+00:00 (VALID: 87 days)
     Certificate Path: /etc/letsencrypt/live/my-domain.com/fullchain.pem
     Private Key Path: /etc/letsencrypt/live/my-domain.com/privkey.pem
    
  2. Revoke the current certificate and deleted:

    sudo certbot revoke --cert-name my-domain.com

  3. stopped the apache2 server - because of the errors - forgot to remove the config ssl files (-le-ssl.conf) from sites-available and sites-enabled => then restart the apache2 server

  4. generated manually and verified with the dns (txt entry for the mail.my-domain.com) -> _acme-challenge.mail.my-domain.com

    sudo certbot -d my-domain.com -d www.my-domain.com -d mail.my-domain.com --manual --preferred-challenges dns certonly

  5. I generated again with apache - because I didn't know how to set it automatically in apache

    sudo certbot --apache -d my-domain.com -d www.my-domain.com

Here it generates another ssl with name:

my-domain.com-0001
  1. Changed the cert path in

my-domain.com-le-ssl.conf

to use the /etc/letsencrypt/live/my-domain.com/ not the /etc/letsencrypt/live/my-domain.com-0001/

  1. Revoke and delete cert-name= my-domain.com-0001

  2. Restart the apache server

The website is secured. The ssl now have also the main.my-domain.com included.

Probably after 90 days I have to generate it again and send it to provider to change it in plesk for VPS_A

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.