Get certificate for subdomain


#1

I want to get the certificate for my subdomain web server, mail server, and firewall. They all use the same public ip address. Is there any work around this?


#2

Hi,

Sure…
There are few options for you…

  1. (If port 80 is accessible from external network) Run ACME (preferably certbot) compatible client to get a certificate (contains all domains on your main web server, then distribute the certificate to other servers)
  2. (If you could use DNS & DNS provider have API) use an ACMEv2 compatible client to obtain a wildcard certificate

Here’s a list of client options:

Please also fill in this form so we could help you better

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Thank you

1 Moved to #help


#3

My domain is: health.gov.ki but will use it in our subdomain hosted locally as follows; staff.health.gov.ki

I ran this command: I ran this command from our local mail server (testing) before we actually take it from google mail; sudo certbot certonly --webroot --agree-tos --email postmaster@staff.health.gov.ki -d mail.staff.health.gov.ki -w /var/www/html/

It produced this output: I got this error There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

An unexpected error occurred:

There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version): nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#4

This means that you ran several other commands that requested certificates unsuccessfully recently. If you wait for one hour, this limit will be reset and you can try this command again and get a more meaningful error.

Alternatively, if you look in /var/log/letsencrypt, there should be logs from the previous times which may also contain a more meaningful error explaining why the certificates could not be issued.


#5

Hi,

For testing purposes, you should add --staging to avoid failed authorizations etc…

Can you please try to add that flag and share us the outputs?

Thank you


#6

Hi,

I get this error message below;

Failed authorization procedure. mail.staff.health.gov.ki (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.staff.health.gov.ki/.well-known/acme-challenge/hMnXiNy2aDpVP05–JufBq-rA_IK0XeeTxp4mZSNM_E: "

<head>

    <title>Page not found</title>

    <style>

            .wrapper{

                    width:100%;

                    heig"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.staff.health.gov.ki

    Type: unauthorized

    Detail: Invalid response from

    http://mail.staff.health.gov.ki/.well-known/acme-challenge/hMnXiNy2aDpVP05–JufBq-rA_IK0XeeTxp4mZSNM_E:

    "

    <head>
    
        <title>Page not found</title>
    
        <style>
    
                .wrapper{
    
                        width:100%;
    
                        heig"
    

    To fix these errors, please make sure that your domain name was

    entered correctly and the DNS A/AAAA record(s) for that domain

    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot

    configuration directory at /etc/letsencrypt. You should make a

    secure backup of this folder now. This configuration directory will

    also contain certificates and private keys obtained by Certbot so

    making regular backups of this folder is ideal.


#7

Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: y
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.staff.health.gov.ki
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.staff.health.gov.ki (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.staff.health.gov.ki/.well-known/acme-challenge/hMnXiNy2aDpVP05--JufBq-rA_IK0XeeTxp4mZSNM_E: "

Page not found .wrapper{ width:100%; heig"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.staff.health.gov.ki
    Type: unauthorized
    Detail: Invalid response from
    http://mail.staff.health.gov.ki/.well-known/acme-challenge/hMnXiNy2aDpVP05--JufBq-rA_IK0XeeTxp4mZSNM_E:
    "

    Page not found .wrapper{ width:100%; heig"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.


#8

Are you running that command on the web server or the mail server? (or are they the same machine?)

You need to run it on the web server because that’s what the CA will reach when it tries to validate by connecting to the domain on port 80. You can copy the resulting certificate to the mail server after you’ve obtained it. If you do this with a --deploy-hook command it will be repeated automatically when the certificate is renewed.

If you’re already running it on the web server, you’ll need to make sure the /var/www/html that you entered in the command is actually the webroot directory when you connect to nginx using the mail server’s subdomain name. Alternatively you might have more luck using --authenticator nginx instead of --webroot.

If you prefer to run a command directly on the mail server, you might try acme.sh which supports Dreamhost’s DNS API, or getssl which has a remote webroot mode. (Both of which you can also do with certbot, if you really want to, but it’s a bit trickier).


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.