Newly created wildcard SSL w/ Certbot fails to load site

Help
1

Decided to use Certbot Let's Encrypt wildcard SSL instead of Comodo for staging site and created a certificate with ease, added DNS TXT record and verified post command and all good. But now site refuses to load or loads www only all of the sudden. I need to be able to login at SMART48 .

My domain is: staging.smart48.com

I ran this command:

sudo certbot certonly --manual --email user@site.com --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d *.staging.smart48.com

It produced this output:

Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.staging.smart48.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.staging.smart48.com.

with the following value:

cihILT5oT8iBKGNbBEhzfBCS2vtdncJ12YBkD9Sn5PQ

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.staging.smart48.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/staging.smart48.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/staging.smart48.com/privkey.pem
This certificate expires on 2024-02-06.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):

nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-zctdR4/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module

The operating system my web server runs on is (include version):

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy

My hosting provider, if applicable, is:

transip.nl for DNS and hetzner.com for hosting

I can login to a root shell on my machine (yes or no, or I don't know):

Yes I can ssh in and run sudo or run commands as root

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No I use ssh or ploi.io

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version
certbot 2.7.4

part of nginx config for site:

...
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name .staging.smart48.com;
    root /home/ploi/staging.smart48.com/current/public;

    # ssl_certificate /etc/nginx/ssl/certificates/staging.smart48.com.crt;
    ssl_certificate /etc/letsencrypt/live/staging.smart48.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/staging.smart48.com/privkey.pem;
    # ssl_certificate_key /etc/nginx/ssl/certificates/staging.smart48.com.key;

    # include /etc/nginx/ssl/staging.smart48.com;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'xxxxx';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header X-Content-Type-Options "application/json";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    charset utf-8;
...
2

You probably need to add your root name to the cert too. The wildcard in the cert only covers names with something in place of the asterisk.

So, probably need both

sudo certbot certonly --manual --email user@site.com --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d *.staging.smart48.com -d staging.smart48.com

you will get asked to make 2 TXT records (although maybe not the first time since the prior auth may be cached)

4 Likes
4

Doesn't the use of the leading "dot" imply it will only respond to subdomain names?
OR
Will that also match for "staging.smart48.com"?

That name should be covered by that cert.

3 Likes
5 
sudo certbot certonly --manual --email user@site.com --preferred-challenges dns --server http
s://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d *.staging.smart48.com -d staging.smart48.com
[sudo] password for ploi: 
Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for concept.staging.smart48.com and staging.smart48.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.concept.staging.smart48.com.

with the following value:

XlLhX1b2KeO5dmXchD3-AOJ_30sob_dGiJZtQvtVBFU

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.staging.smart48.com.

with the following value:

IGY8nV8o3Ye--vZg8UXAouoGGBuwIaZR5yw9CqC0OJQ

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.staging.smart48.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/concept.staging.smart48.com-0001/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/concept.staging.smart48.com-0001/privkey.pem
This certificate expires on 2024-02-06.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

replaced concept.staging.smart48.com wildcard SSL in nginx file for concept sites under staging subdomain. Did sudo nginx -t, all good so restarted Nginx. But still error certificate name does not match input.

6

As unlikely as this may seem for nginx...
I think you may have a name:port overlap situation.
What shows?:
nginx -T | grep -Ei 'server_name|listen'

2 Likes
8

Show us the [public] certificate and the input.

And the IP(s) of the nginx server:
curl -4 ifconfig.io
curl -6 ifconfig.io

2 Likes
9 
sudo cat /etc/letsencrypt/live/staging.smart48.com/fullchain.pem;
-----BEGIN CERTIFICATE-----
MIIELDCCAxSgAwIBAgISA701LskDIjfqvCwO4xbQoPJHMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzExMDgwMzIwNTNaFw0yNDAyMDYwMzIwNTJaMCAxHjAcBgNVBAMM
FSouc3RhZ2luZy5zbWFydDQ4LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BLWVW8pVzyWwDoXTfKzysskUsTLnKVLnNBlzOh9PkTFWzV0aIQczGX/1MQxjlAn1
/lKeozJiGppzhjkMsP/D8qKjggIXMIICEzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FHITDmr7Ppn02hArmCubU8cm+yF1MB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf
r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u
bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMCAG
A1UdEQQZMBeCFSouc3RhZ2luZy5zbWFydDQ4LmNvbTATBgNVHSAEDDAKMAgGBmeB
DAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ADtTd3U+LbmAToswWwb+QDtn
2E/D9Me9AA0tcm/h+tQXAAABi60pZgMAAAQDAEcwRQIgWB+gmcR8Hc5ncqPRGEKB
RTO/Gbl6A2WZ67OpGXYfR3gCIQCGe6iYyffu9IrNQ928Gt0G6o0kaI+q19ElukEC
geAyigB2AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABi60pZfUA
AAQDAEcwRQIgMdR9I2tKLua6JVIfBD4Km33+AJUtg7p339yU9c6rFZECIQDtG2vs
bzkVHkgSJQKi7uY6w1P927Z5NSL08CGBu/jWmzANBgkqhkiG9w0BAQsFAAOCAQEA
Aq0PkJr5wKZ0w3uOMHsiTvP8eoKXTqWAJs2X5E4krvg6Fk7SKdcvOvg7RKDGlSI1
zk+UFZfI+NACL/MUWSdIZWB0wF1LjpVyOTkMfFYpbxXSF1y+akPaUP2ihdqw+RnB
7BsHaeFAO2EcosfFaGYqmXIMhTqiiNIaD6IgBiE1Epr//3dANcTzC6B1pg/6yd/v
vi4tZYpoGQuaDUar1YoIztapWPG9wMTw38M5XBjlg2pz0gugB4dQhiIYKmJVbgMU
mR4COz8mRZl24g4V1x5Rqc9iTbpUYrePw7csyuhQyPFcnXubL+Yv9Qdgp/XEfBvQ
dXrRJ0ND7engDwGBTcir8Q==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

curl -4 ifconfig.io
91.107.192.217
curl -6 ifconfig.io
2a01:4f8:c012:280f::1
10

Not that [local] cert - the cert the client is presented.
Like in a browser.

2 Likes
11

The IPs do match the IPs resolve by that name - so we are in the right place
As for the [wrong] cert:

2 Likes
12

Not sure how I do that. Here a screenshot when I load site from private window using Safari:

Screenshot 2023-11-08 at 12.21.21
Screenshot 2023-11-08 at 12.21.211541×835 80.1 KB

13 
sudo nginx -T | grep -Ei 'server_name|listen'
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
        server_names_hash_bucket_size 128;
        # server_name_in_redirect off;
#               listen     localhost:110;
#               listen     localhost:143;
    # listen 80;
    # listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .concept.staging.smart48.com;
#     listen 80;
#     listen [::]:80;
#     server_name www.concept.staging.smart48.com;
     listen 80;
     listen [::]:80;
     server_name .concept.smart48.com;
fastcgi_param  SERVER_NAME        $server_name;
    server_name _;
    listen       80  default_server;
    listen 443 ssl;
    server_name _;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .staging.smart48.com;
    listen 80;
    listen [::]:80;
    server_name www.staging.smart48.com;
15

You are using the short domain name in the URL.
Try:
https://concept.staging.smart48.com/

Based on this:

Try:
https://www.concept.staging.smart48.com/

2 Likes
16

https://concept.staging.smart48.com does work and LE SSL certificate is correct. But to access dashboard I need to go to https://staging.smart48.com/login and the latter is still loading the same error for me as mentioned earlier meaning the certificate name does not match input.

Maybe I need to add another server_name for staging .. as main subdomain?

17

This doesn't seem right.
I will remove unused and cross out the irrelevant and split what seems logical and you might see what I mean:

listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .concept.staging.smart48.com;

listen 80;
listen [::]:80;
server_name .concept.smart48.com;

server_name _;
listen 80 default_server;

listen 443 ssl;
server_name _;

listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .staging.smart48.com;

listen 80;
listen [::]:80;
server_name www.staging.smart48.com;

With the HTTP[port 80] lines crossed out...
There are only two HTTPS[port 443] sections remaining.

  • server_name .concept.staging.smart48.com;
  • server_name .staging.smart48.com;

Both of which are wildcards certs [that don't include the (base) name shown].

So, yes:

And you need to add [a cert that contains] the name you want to reach.

2 Likes
18

The name(s) being served and the cert being used should agree on the covered name(s).
You seem to have mishmashed them a bit.
If you need to use:
https://staging.smart48.com/login
Then you will need two things:

  • a cert that covers that name
  • a secure vhost that serves that name [and uses the correct cert]

Note:

"*.exmaple.com" [or written ".example.com"]

and

"example.com"

are two different things.

2 Likes
19

They do include base name. That is a doc'd shorthand for that purpose

3 Likes
20

Even if you are right [not doubting that]...
That is only have of the puzzle.
The other half fails to match:

image
image406×517 11.1 KB

The cert doesn't contain the short name :frowning:

2 Likes
22

What shows?:

certbot certificates

[post #5 made it seem like a new cert was obtained that included the base domain name]

Where did this cert go?:
crt.sh | 11032688762
"-000x" ?

2 Likes
23

Makes me wonder why the short name was not added and as for the new *.concept.staging.smart48.com certificate, well that came up when I ran

sudo certbot certonly --manual --email user@site.com --preferred-challenges dns --server http
s://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d *.staging.smart48.com -d staging.smart48.com

it did show

...
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/concept.staging.smart48.com-0001/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/concept.staging.smart48.com-0001/privkey.pem
This certificate expires on 2024-02-06.
These files will be updated when the certificate renews.
...

not sure why Certbot wanted to add one for *.concept.staging.smart48. com .. that LE SSL was fine. I. only had the expired *.staging.smart48.com

24

That is NOT the cert name being used by nginx.

2 Likes