Multiple domains on one cert

My domain is:
https://limbo.teamandtech.com / https://api.qa.odd.teamandtech.com

I created a certificate with this list of commands:

  • kong stop
  • sudo certbot certonly --standalone -d api.qa.odd.teamandtech.com -d limbo.teamandtech.com
  • cd /usr/local/kong
  • rm -f kong-default.crt
  • ln -s /etc/letsencrypt/archive/api.qa.odd.teamandtech.com/cert1.pem ./kong-default.crt
  • rm -f kong-default.key
  • ln -s /etc/letsencrypt/archive/api.qa.odd.teamandtech.com/privkey1.pem ./kong-default.key
  • kong start

limbo.teamandtech.com (secondary url) is working as intended, but api.qa.odd.teamandtech.com is giving an error: NET::ERR_CERT_AUTHORITY_INVALID saying connection is not private. Both are intended to be ssl’d and working with https.

My web server is (include version):
nginx / kong

The operating system my web server runs on is (include version):
Ubuntu Xenial

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0

Use the fullchain.pem file instead of your current one

Sorry, in place of privkey1 or cert1?

Hi @keirankozlowski

checking your domain you have created some certificates ( https://check-your-website.server-daten.de/?q=api.qa.odd.teamandtech.com#ct-logs ):

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
966896366 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-14 12:38:27 2019-09-12 12:38:27 api.qa.odd.teamandtech.com, limbo.teamandtech.com - 2 entries duplicate nr. 1
966848302 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-14 11:52:07 2019-09-12 11:52:07 api.qa.odd.teamandtech.com - 1 entries duplicate nr. 3
966831204 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-14 11:34:34 2019-09-12 11:34:34 api.qa.odd.teamandtech.com - 1 entries duplicate nr. 2
963993444 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-12 18:55:09 2019-09-10 18:55:09 api.qa.odd.teamandtech.com - 1 entries duplicate nr. 1

But you don't use one of these, instead, there is a self signed certificate:

CN=localhost, OU=IT Department, O=Kong, L=San Francisco, S=California, C=US
	08.06.2019
	28.06.2019
expires in 10 days	

Perhaps try

certbot -d api.qa.odd.teamandtech.com --reinstall -i nginx

to see, if Certbot finds the old certificate and install it.

Or this "kong" system needs additional steps to install a certificate.

It’s not a problem of cert / fullchain. There is a self signed certificate.

Hi Juergen, thanks for your response.

Kong shouldn’t need anything additional; our other QA server is running the same stack and running without issues. Not sure what’s up with this one because there should be no difference between them. I will try this command, one sec.

1 Like

Yeah the command above doesn’t work because we’re not using the nginx plugin. All of the other certs for our other servers have been generated with standalone. Kong is basically an API gateway / middleware service that sits on top of Nginx. We, or at least I, don’t really touch Nginx itself much anymore.

1 Like

What says

certbot certificates

It’s only an installation problem. But I don’t know that “Kong”, so I have no idea how to install a certificate.


Found the following certs:
Certificate Name: api.qa.odd.teamandtech.com-0004
Domains: api.qa.odd.teamandtech.com limbo.teamandtech.com
Expiry Date: 2019-09-12 12:38:27+00:00 (VALID: 85 days)
Certificate Path: /etc/letsencrypt/live/api.qa.odd.teamandtech.com-0004/fullchain.pem
Private Key Path: /etc/letsencrypt/live/api.qa.odd.teamandtech.com-0004/privkey.pem


It’s on -0004 because I’ve tried setting this up a few different ways and a few different times now, haha.

1 Like

Then install it :wink: (post is too small)

Aside from the issue of using fullchain.pem instead, this is going to permanently link your server's cert to a specific issuance, which is going to expire in under 90 days. If you want to do it this way, you should link to the file in /etc/letsencrypt/live/. But you'd be better off using the --fullchain-path and --key-path options to tell certbot to put the fullchain and private key in the desired locations.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.