My main domain has SSL and my subdomain dont have SSL

Nolife159159 · March 14, 2023, 11:25pm

i will try

danb35 · March 14, 2023, 11:27pm

No, you can't get a wildcard cert using http validation. But again, why were you trying to use DNS validation in the first place?

Nolife159159 · March 14, 2023, 11:28pm

Well tbh i read about DNS validation on internet also first time using certbot

rg305 · March 14, 2023, 11:29pm

That ("-0001") is usually a sign of things not going as expected.

What shows?:
certbot certificates

Nolife159159 · March 14, 2023, 11:30pm

if i can't get wildcart i can do something like this?

sudo certbot certonly --manual -d lerg.lt -d www.lerg.lt -d vvp.lerg.lt

Nolife159159 · March 14, 2023, 11:31pm

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: lerg.lt-0001
    Serial Number: 398cab2e1dcebb120cbe98f935d9c4b46d0
    Key Type: RSA
    Domains: lerg.lt
    Expiry Date: 2023-06-12 20:43:09+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/lerg.lt-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lerg.lt-0001/privkey.pem
  Certificate Name: lerg.lt
    Serial Number: 45042445548658c11d98d130a2cf1e76f95
    Key Type: RSA
    Domains: lerg.lt www.lerg.lt
    Expiry Date: 2023-06-08 14:32:29+00:00 (VALID: 85 days)
    Certificate Path: /etc/letsencrypt/live/lerg.lt/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lerg.lt/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

danb35 · March 14, 2023, 11:33pm

You aren't answering the question, and that's making it hard to help you. If there's a guide you're following, a link would be helpful. If you just decided on your own to do it, why?

Generally speaking, DNS validation is only viable if you're using a DNS host with an API that certbot supports, to allow it to automate changes to the records--and even if you do, it's generally more complicated to work with than HTTP validation. That means that, unless you have a particular need for DNS validation (which would ordinarily be only in cases where you wanted a wildcard cert, or where you wanted a cert for a server that isn't accessible from the public Internet), you shouldn't be using it.

rg305 · March 14, 2023, 11:33pm

The first cert is pretty much useless:

Let's get rid of that one [if your web server isn't using it], with:
certbot delete --cert-name lerg.lt-0001

Then reshow:
certbot certificates

Nolife159159 · March 14, 2023, 11:34pm

well i deleted that and only have this

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: lerg.lt
    Serial Number: 45042445548658c11d98d130a2cf1e76f95
    Key Type: RSA
    Domains: lerg.lt www.lerg.lt
    Expiry Date: 2023-06-08 14:32:29+00:00 (VALID: 85 days)
    Certificate Path: /etc/letsencrypt/live/lerg.lt/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lerg.lt/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Nolife159159 · March 14, 2023, 11:34pm

well i read some random post on intented how to do it

rg305 · March 14, 2023, 11:36pm

To add to @danb35's pint:
The whole pint of LE is automation [that's why certs are so short-lived (90 days)].
If you aren't going to automate the certificate renewals, you might as well buy a one year cert and only have to be bothered renewing it once a year.

[ Yes, I purposely spelled point as pint - no need to correct me ]

Bruce5051 · March 14, 2023, 11:37pm

Nolife159159 · March 14, 2023, 11:38pm

Well i want to get certificate working at first and latter i will concider about buying or maybe automating it

rg305 · March 14, 2023, 11:40pm

There is 85 days of life left in that one, we should let it live a bit [before killing it - lol]

So, since the content will be different - thus the vhost will also be different, I see no relevant/dire reason to merge the three names onto one cert.

So...
You can probably obtain a single cert for vvp using HTTP-01 authentication [instead of DNS-01] and automate it so that it renews all on it's own.
[then on the next renewal, we can do the same for the other cert/two names]
To that end, try:

danb35 · March 14, 2023, 11:40pm

Maybe you should start by reading some docs. Start here:

...and then:

rg305 · March 14, 2023, 11:40pm

I stand corrected!
[and first in line at the tap]

Nolife159159 · March 14, 2023, 11:42pm

well i have tryed that and getting this

Challenge failed for domain vvp.lerg.lt
http-01 challenge for vvp.lerg.lt
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: vvp.lerg.lt
   Type:   unauthorized
   Detail: 80.209.237.42: Invalid response from
   http://vvp.lerg.lt/.well-known/acme-challenge/jmOIQ_y9IoGfem1DN-1cPp1X6SQ7PMTTzDUV1jjO3gw:
   400

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

rg305 · March 14, 2023, 11:42pm

You're not showing the choices made prior to that.

Nolife159159 · March 14, 2023, 11:43pm

thats is the full

sudo certbot certonly --manual -d vvp.lerg.lt

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Requesting a certificate for vvp.lerg.lt
Performing the following challenges:
http-01 challenge for vvp.lerg.lt

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

jmOIQ_y9IoGfem1DN-1cPp1X6SQ7PMTTzDUV1jjO3gw.BTYdvn8zv5JjwijnYjvL-ins8n0hk9rW3loEY8biQOY

And make it available on your web server at this URL:

http://vvp.lerg.lt/.well-known/acme-challenge/jmOIQ_y9IoGfem1DN-1cPp1X6SQ7PMTTzDUV1jjO3gw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain vvp.lerg.lt
http-01 challenge for vvp.lerg.lt
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: vvp.lerg.lt
   Type:   unauthorized
   Detail: 80.209.237.42: Invalid response from
   http://vvp.lerg.lt/.well-known/acme-challenge/jmOIQ_y9IoGfem1DN-1cPp1X6SQ7PMTTzDUV1jjO3gw:
   400

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Bruce5051 · March 14, 2023, 11:43pm

Supplemental information:

$ curl  http://vvp.lerg.lt/.well-known/acme-challenge/sometestfile
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
 Instead use the HTTPS scheme to access this URL, please.<br />
</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at qkqy.c.dedikuoti.lt Port 80</address>
</body></html>