I cannot get one certificate to work with various subdomains

Can someone help me with this please? I am using certbot on manual mode and already got a certificate to work with one domain but when I try to include more subdomains it will only work for one.
My domain registrar and web hosting provider is GoDaddy by the way. (Yes, I know it's not the best for these situations, but I do know it's possible).

1 Like

In what way does it stop working? Error messages and screenshots would be helpful here.

The basic way to request multiple domains on a single certificate is just to list them like:

certbot certonly --manual -d example.com -d www.example.com -d example.org

To help you further than that, we need more information about where you're running into trouble.

2 Likes

Welcome to the Let's Encrypt Community, Lorenzo :slightly_smiling_face:

Following what @_az has advised should get you going. If you should run into any GoDaddy specific issues (especially with cPanel), I'm happy to help as I've probably ran into them myself at some point.

2 Likes

Sorry, I forgot to include that, I'll run it on more time since it takes a bit and I'll paste the output here!

1 Like

You can also do this:

-d "domain.com,www.domain.com"

like:

certbot certonly --manual --preferred-challenges dns -d "example.com,www.example.com" --keep

1 Like

Oh, also another heads up before i post the output here, even though one domain is certified with Let's encrypt, it still shows as insecure, the domain in question that I'm talking about here is this one: lorenzobloedow.com (ignore the silly website, I'm still just setting it up lol)

1 Like

Did you remember to click install once you saved the certificate in cPanel?

It looks like you did.

Make sure to go to the Domains section in cPanel, click Domains, expand the section for your domain, then toggle "Force HTTPS Redirect" on.

1 Like

One second, I'm now generating a new cert for all the domains.

1 Like
←[31mChallenge failed for domain autodiscover.lorenzobloedow.com←[0m
←[31mChallenge failed for domain cpanel.lorenzobloedow.com←[0m
←[31mChallenge failed for domain cpcalendars.lorenzobloedow.com←[0m
←[31mChallenge failed for domain cpcontacts.lorenzobloedow.com←[0m
←[31mChallenge failed for domain webdisk.lorenzobloedow.com←[0m
←[31mChallenge failed for domain webmail.lorenzobloedow.com←[0m
http-01 challenge for autodiscover.lorenzobloedow.com
http-01 challenge for cpanel.lorenzobloedow.com
http-01 challenge for cpcalendars.lorenzobloedow.com
http-01 challenge for cpcontacts.lorenzobloedow.com
http-01 challenge for webdisk.lorenzobloedow.com
http-01 challenge for webmail.lorenzobloedow.com
Cleaning up challenges
←[31mSome challenges have failed.←[0m
←[1m
IMPORTANT NOTES:
←[0m - The following errors were reported by the server:

   Domain: autodiscover.lorenzobloedow.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for
   autodiscover.lorenzobloedow.com - check that a DNS record exists
   for this domain

   Domain: cpcalendars.lorenzobloedow.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for
   cpcalendars.lorenzobloedow.com - check that a DNS record exists for
   this domain

   Domain: cpcontacts.lorenzobloedow.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for
   cpcontacts.lorenzobloedow.com - check that a DNS record exists for
   this domain

   Domain: webmail.lorenzobloedow.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for
   webmail.lorenzobloedow.com - check that a DNS record exists for
   this domain
 - The following errors were reported by the server:

   Domain: cpanel.lorenzobloedow.com
   Type:   unauthorized
   Detail: Invalid response from
   https://cpanel.lorenzobloedow.com/.well-known/acme-challenge/-MCUP43vU0sqmxItSrul42dOMt0HWH4ojmz9SqGCq2U
   [50.62.141.184]: "\n<!DOCTYPE html>\n<html lang=\"en\"
   dir=\"ltr\">\n<head>\n    <meta http-equiv=\"Content-Type\"
   content=\"text/html; charset=utf-8\" />\n   "

   Domain: webdisk.lorenzobloedow.com
   Type:   unauthorized
   Detail: Invalid response from
   https://webdisk.lorenzobloedow.com/.well-known/acme-challenge/c3Ue1U0bbLZKk7N0iqcFOE8QtewPvXju4o_-ZKgZnok
   [50.62.141.184]: 401

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like

Here you go, sorry for taking too long, I'm really busy.

1 Like

You don't need your own certificate for those subdomain names. GoDaddy will redirect those to your hosting machine name (for http connections, which then redirect to https connections), which is covered by their own certificate. You most likely only really need a certificate covering lorenzobloedow.com and www.lorenzobloedow.com.

1 Like

It shows as insecure because you are not redirecting http to https but if you access your site using https://lorenzobloedow.com/ you will see it as secured.

3 Likes

Exactly, @sahsanu. I already gave him the proper way to do the redirect in cPanel.

I try to spread this information as much as I can because I myself used to use .htaccess to do this, which is error prone and far less efficient. Amazingly, he already has a www to apex redirect, somehow. I think it might be an application-based redirect.

3 Likes

I'm really confused haha, can you please explain what is www to apex redirect and what is .htaccess?

1 Like

www.domain.com redirected to domain.com (the apex)

.htaccess is a file used to control various aspects of accessing a folder that can be used for redirecting traffic

2 Likes

Oh ok, thanks.
By the way, about the output I sent you, can you help me with that? Some weeks ago I've tried some solutions but it didn't work.

1 Like

Im getting the same DNS does not point to this server message also. Not possible.

Using centos CWP admin gui. Ugg I know, not your problem. But for some reason, there is an issue with DNS and so Im thinking it is your problem.

1 Like

You mean the NET::ERR_CERT_COMMON_NAME_INVALID issue? That's not that uncommon, right? That a different certificate is presented, because the correct certificate isn't installed or doesn't even exist at all? Not strange at all.. Perhaps I didn't understand correctly what you meant :slight_smile:

Although I still don't understand what you meant with:

If you have just a certificate with those two hostnames, it won't be possible to use a different subdomain than the www subdomain.

Also, any HTTP redirect won't work if there is a TLS error earlier.

1 Like

You are correct. Connecting directly with https yields a certificate error regardless. :confused: Admittedly, I have typically used a wildcard certificate that avoids this issue altogether. I attempted, unsuccessfully, to extend the "clean install" behavior to this situation. My solution was simply to delete the CNAMEs I didn't want anyhow from my DNS.