Letsencrypt on subdomain

Help
1

I wanted to make subdomains secued by using letsencrypt. however, when while accessing subdomain, I am getting following error

“This server could not prove that it is conquistadorjd.goingplaces.me; its security certificate is from goingplaces.me. This may be caused by a misconfiguration or an attacker intercepting your connection.”

My domain is: goingplaces.me
My web server is (include version): nginx
The operating system my web server runs on is (include version): ubuntu 16.04 and chrome
My hosting provider, if applicable, is: digital ocean
I can login to a root shell on my machine (yes or no, or I don’t know): yes

If i register “conquistadorjd.goingplaces.me” I get similar error for goingplaces.me.
Can you please let me know how to make sub domains also secured ?

2

Put both the subdomain and the domain on the certificate. Since you didn’t answer the questions you were presented when you started this topic, I can’t really tell you how to do that with your client.

3

Unfortunately, if one types things in the text box first and then set the section to "Help", there won't be any questions presented..

@conquistadorjd Here are the questions @danb35 meant, could you fill them in as complete as you can?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

4

@Osiris @danb35 Thanks for your response.
I ran following command and now error is not showing up, however subdomain is not being shown as secured
sudo certbot --nginx -d goingplaces.me -d www.goingplaces.me -d conquistadorjd.goingplaces.me -d www.conquistadorjd.goingplaces.me

2018-08-11%2017-11-26%20lets%20encrypt

I am planning to use this site as multisite, there will be large number of subdomains. I tried to search for subdomain wildcard but could not find much, can you please assist me?

I did use part of the questionnaire, I skipped following questions as these were not relevant
I ran this command:
It produced this output:

5

https://www.whynopadlock.com/results/111369f2-d446-4780-bc8e-5206f6c37d15

1 Like
6

Wildcard-certificates are possible. You have to use dns-01 - challenge, so you should have a dns-provider with an api.

Then you need only one certificate with two names - *.goingplaces.me and goingplaces.me

But you can't create something like ..goingplaces.me, so www.conquistadorjd.goingplaces.me isn't supported.

And fix your mixed content warnings - http -> https. Chrome / FireFox, Ctrl + Shift + I, then select the console.

http :// conquistadorjd . files . wordpress . com / 2013 / 05/img_6200-1.jpg

7

Thanks for your response, is there any step by step guide for wildcard subdmaon registration ?
like the one for this one for letsencrypt for simple domain ?
https://www.techtrekking.net/how-to-add-ssl-and-https-to-wordpress/

and yes, I am fine with *.goingplaces.me , ..goingplaces.me is not required

8

That isn't required.

You have already certificates created. With Certbot? If yes.

  1. Check your Certbot version. Wildcard-certificates need the ACME-protocol v2.
  2. First use the v2 - staging/testsystem.

https://certbot.eff.org/docs/using.html#certbot-commands

If I know it correct, it's enough to define -d *.goingplaces.me as domain name. If there is no other info, Certbot may ask.

Certbot certonly --manual --test-cert -d *.goingplaces.me

9

Thanks @JuergenAuer I followed theinstruction. Added text record but got following error

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. goingplaces.me (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.goingplaces.me

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: goingplaces.me
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.goingplaces.me

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address

Not sure if there is delay from domain provider in applying TXT record.

10

I can't find a txt record

_acme-challenge.goingplaces.me
_acme-challenge.goingplaces.me.goingplaces.me (sometimes seen)

And there is no CNAME record with one of these names. Tested local and online.

Can you create a picture of the menu you had used?

11

I guess, this is the main issue but when I added CNAME record in 1. digitalocean and 2.bigrock (domain name reseller) I got following error at txt record

2018-08-19%2019-12-40%20letssencrypt%20error
2018-08-19%2019-12-40%20letssencrypt%20error1158×482 33.1 KB

12

I meant: You don't need a CNAME, but I checked if you had created

_acme-challenge.goingplaces.me as CNAME with the value.

You don't need a CNAME, you need only _acme-challenge.goingplaces.me as TXT entry.

13

You have a long TTL - I use a TTL with 300 seconds (not digitalocean).

But your entries are ok.

Remove the CNAME record with this name.

PS: You have another CNAME which is wrong:

_acme-challenge.goingplaces.me canonical name = goingplaces.me

14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.