HSTS error, unable to add function certificates to subdomains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I cannot properly visit domains after attempting to add certificates for subdomains. Visiting nextcloud.caviomorpha.dev in Firefox brings:


nextcloud.caviomorpha.dev has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

The issue is most likely with the web site, and there is nothing you can do to resolve it. You can notify the web site’s administrator about the problem.


Only my main domain for my static website, caviomorpha.dev, works. I cannot expand it to any subdomains due to this error.

My domain is: nextcloud.caviomorpha.dev

I ran this command: certbot certonly --nginx -d nextcloud.caviomorpha.dev

It produced this output:

My web server is (include version): weiqi.caviomorpha.dev

The operating system my web server runs on is (include version): Debain 11 64-bit

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Your Current certificate being served is just for caviomorpha.dev and doesn't include nextcloud.caviomorpha.dev. If you perhaps just need to restart nginx to load the latest certificate

3 Likes

Note also that 'certonly' tells certbot to not attempt to install the certificate.

3 Likes

This.

From the CT logs (crt.sh | nextcloud.caviomorpha.dev) you can see you already have gotten three perfectly fine certificates issued for nextcloud.caviomorpha.dev. Please use one of those (i.e.: manually install it into your webserver, as you're indeed using certonly for some reason) instead of issuing more certificates. Because issuance isn't the problem, most likely the manual installing step is missing.

3 Likes