Hello, I am currently trying to setup a certificate on a multi level subdomain of mine, for example: subdomain1.subdomain2.domain.com, my domain is currently pointing to Cloudflare's name servers and I have setup "subdomain1.subdomain2.domain.com", "subdomain2.domain.com", and "domain.com" to all point to my Debian 12 server's IP address (which are all correctly pointing and working fine). all of the domains are proxied as well
The command I am running to setup Certbot through cloudflare utilizing the associated cloudflare plugin is
Whenever I run this everything seems to work fine as it correctly adds the certificates for both subdomain2.domain.com and domain.com, and I can visit the sites without an issue. but for some reason whenever I visit subdomain1.subdomain2.domain.com it doesn't seem to work giving me a
Secure Connection Failed
An error occurred during a connection to hello.hello.us-central-1-amazonaws.com. Cannot communicate securely with peer: no common encryption algorithm(s).
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
That's a server configuration issue not a cert problem itself.
Still, check that your cert was issued with all 3 names. Use a tool like this to check your apex domain and then check the SANs section for all the names: SSL Checker Or, check using https://crt.sh although it has performed poor recently.
We'd need to know more about the specifics of your server to help with that. It is not in our normal scope but I am sure someone would give advice on it
Thx for the reply, I went ahead and check and currently it does only show these:
DNS:xx-xxxx-1-xxxxxxxxxxx.com
DNS:*.xx-xxxx-1-xxxxxxxxxxx.com
Total number of SANs: 2
although when I try and run
certbot -i nginx --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d "example1.example2.xx-xx-1-xxxxxxxx.com" -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Requesting a certificate for example1.example2.xx-xx-1-xxxxxxxx.com
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
mind you this only happens when trying it for multi level subdomains, if I were to do a singular subdomain or even just the domain it'd work perfectly fine.
Some versions of Certbot gave that error when processing an original error. You may need to update your Certbot.
A cert request for all 3 domains would never produce a cert with just 2 domain names in it. Each Certbot request is a request for a cert. All names must satisfy the challenges or the cert is not issued.
You may be able to find the original error in the Certbot log.
It is very difficult to say much without knowing the actual domain names
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Yeah but would you still not be able to serve the certificates through certbot even if proxying your domains through Cloudflare? the entire reason I'm trying to use certbot for this is because of the requirement they have on multi level subdomains (needing to pay).
Cloudflare Universal SSL will issue certificates only for the apex name and one subdomain.
example.com *.example.com
If you use deeper subdomains, you will need to either set those hostnames to DNS Only, which bypasses the Cloudflare proxy, or you can add an Advanced Certificate Manager subscription.
On Business Plan, you can upload a custom cert, obtained externally, but that would be annoying because it's manual process (unless you automate with Cloudflare API). It is $200/month, though, so it's definitely more economical to go Advanced Certificate (which is $10/month).
