Installing cert for cockpit subdomain, have cert for main domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: humortimes.com

I ran this command: certbot certonly -d cockpit.humortimes.com

It produced this output: Could not find ssl_module; not disabling session tickets.
AND: Certbot failed to authenticate some domains (authenticator: nginx).

My web server is (include version): nginx 1.20.1

The operating system my web server runs on is (include version): AlmaLinux 9.3

My hosting provider, if applicable, is: dedicated server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.7.4

I am trying to install a cert for a cockpit subdomain, as recommended here.

I have a cert already installed for the main domain, and am using openssl, so I'm not sure an ssl_module is relevant. I did install mod_ssl, however, and the next time I ran the certbot command, got all kinds of errors relating to ssl_module:

Error while running apachectl configtest.

AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty

Error while running systemctl restart httpd.

Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.

... which sounds like it relates to apache, but we're running nginx. It also seems to be looking for certs, but they are installed elsewhere.

Can I install a cert for the cockpit subdomain this way, or is it not feasible because of the fact that we already have certs for the domain?

It seems like it may be trying to auto discover your config and finding unused apache config, did you try certbot certonly --nginx?

Assuming nginx does all the work for the https frontend service and is proxying back to cockpit, then yes it should all work.

That's an Apache module. Not used by nginx. Agree with webprofusion to explicitly choose --nginx plug-in with

certbot certonly --nginx -d cockpit.humortimes.com

As an aside, I see you have active DigiCert certs which is what your humortimes.com nginx / Wordpress site is using.

Is there a reason you don't want to use DigiCert for your cockpit subdomain?

I do see some Let's Encrypt certs in your history but issued by Let's Encrypt E1. That seems more likely to have been requested by something like Cloudflare on your behalf. It's fine if you are experimenting. But, it would be helpful to know your final config and get that solution working. Sometimes temp solutions don't transfer well.

More explanation of these various factors would be helpful.

I did do the certbot certonly --nginx initially, but then tried to follow that with the -d cockpit line, I didn't know to combine them.

Regarding DigiCert, I believe it would cost to add a subdomain. Since the cockpit subdomain is merely for connecting via web console (not public facing), I don't want to pay for a cert if I don't have to. At any rate, our certs were installed by our website host, so we'd have to go through them, and I'm sure they'd charge for it, and it would add to our yearly renewal charges.

Is there any downside to having a separate Certbot cert for this subdomain I'm not aware of?

Also, I am considering just switching all the subdomains to Certbot certs. Is there any reason I shouldn't? Thanks.

Yes, there seems to be a disconnect somewhere.

Do you have Apache installed?
If so, do you need it?
If not, uninstall it.

The apachectl -v command shows Apache/2.4.57. I recently installed AlmaLinux 9.2, I guess this was part of it. But dnf remove apachectl returns "No match for argument". httpd -v returns the same Apache version. So I stopped and disabled it. So, just to be sure before I do it, should I go ahead and remove it? And how exactly?

This page recommends also recommends using yum erase httpd httpd-tools apr apr-util to remove these packages. It also says I should update the firewall config. Should I follow those instructions to remove Apache?

I just want to make sure I'm doing this right. Thanks.

Both humortimes.com and the cockpit subdomain are now proxied at Cloudflare.

You might consider trying to use a Cloudflare Origin CA Cert on your origin server.

I previously saw you using an nginx server and Wordpress but now can't tell because of the proxy to Cloudflare.

How you configure your various services is up to you. There is no single right answer. It is difficult to advise when you don't have a specific plan. You should probably focus on that first.

what about?:

• dnf remove apache
• dnf remove httpd

I didn't realize Cloudflare offered that. Do I need to revoke my current certs to use Cloudflare's? Is their Origin CA all I would need? I wouldn't need to keep one like I have now on the server itself?

As for a plan, that's why I'm asking about my options here. The CF option sounds like a great way to go, but I'm unclear on what to do with my old certification method if I switch.

BUT... it appears I already have an "Edge Certificate" with CF and didn't know it. They also list "Client Certificates" and "Origin Certificates", as if you should have them all. It's all very confusing. You recommended an Origin cert, should I get a Client cert as well? Should I keep the Edge cert too?

Lastly, if I get these certs from CF, can I just leave the current certs we have and not renew them? Is it okay to have both for now?

Thanks for your help in understanding these options.

dnf remove httpd should work, but what do you think about the link I included before that recommends doing it this way?

I want to be sure and not mess it up.

I'm not too sure about using erase.
You'd need to ask about that in an AlmaLinux forum.

No

Their Origin CA is installed in your origin server.

Once the Origin CA cert is working you should delete your Let's Encrypt certs. Otherwise the auto-renew will keep requesting them wasting resources. Example command

sudo delete --cert-name example.com

for all the certs shown by sudo certbot certificates

These are all good questions to resolve in the Cloudflare docs or their community

Okay, I'll delete the Let's Encrypt certs, but I was actually asking about the certs our host has installed. I guess that's the DigiCert previously mentioned, but I'm not sure.

That's something to ask of your hosting service

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.