Nginx: Ignoring internal DNS names

Hi,

I run a family of several domains for a platform authored by my employer; however we use a DNS name which breaks certbot’s autorenewal process (beause I don’t want to publish this subdomain publicly), meaning it gives NXDOMAIN whenever I try to renew my domains.

My question is this- can I get certbot to skip (or outright ignore) this domain, so I can get auto-renewal set up correctly?

Thanks!

Hi @lighth7015,

Certbot’s autorenewal is only based on the content of existing certificates. Did you previously have a valid certificate for that subdomain?

Hi,

No, it’s always wanted to try and include it, for as long as I’ve had that subdomain. Can I configure it to skip that somehow?

Can you please show the Certbot command you’re running and the output? I don’t quite understand how this could happen.

You can change the domain name to example.com and the subdomain to subdomain.example.com if you’d like.

I’m simply using certbot renew; it’s always wanted to include the subdomains olympus.medaccessrx.com and my.hpprx.com in the certificates. I have to specifically run the renewal process and exclude both of those each time, preventing the certificate from automatically updating each month.

Could you show us the output of certbot certificates as well?

According to crt.sh, you do have those names included in a valid certificate:

https://crt.sh/?id=1310307842

Found the following certs:
  Certificate Name: aslselectrx.com
    Domains: aslselectrx.com fddpreferred.com hsaselectrx.com medaccessrx.com my.fddpreferred.com my.medaccessrx.com otselectrx.com prohospitalityrx.com prorealtorrx.com tempservicesrx.com www.aslselectrx.com www.fddpreferred.com www.hsaselectrx.com www.medaccessrx.com www.otselectrx.com www.prohospitalityrx.com www.prorealtorrx.com www.tempservicesrx.com
    Expiry Date: 2019-10-31 17:12:13+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/aslselectrx.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/aslselectrx.com/privkey.pem
  Certificate Name: fddpreferred.com
    Domains: fddpreferred.com medaccessrx.com my.hpprx.com olympus.medaccessrx.com www.fddpreferred.com www.medaccessrx.com
    Expiry Date: 2019-06-15 17:55:48+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/fddpreferred.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fddpreferred.com/privkey.pem
  Certificate Name: medaccessrx.com
    Domains: my.hpprx.com medaccessrx.com olympus.medaccessrx.com www.medaccessrx.com
    Expiry Date: 2018-12-23 17:22:12+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/medaccessrx.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/medaccessrx.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Huh, yeah- there they are. I don’t get how they got included.

They don’t have external DNS names, though. It’s for a service over a VPN. So…? Also, my.hpprx.com shouldn’t be hosted on that server. Can I remove those names from the certificate?

In this case the appropriate solution is to re-issue these certificate without the undesired names:

certbot certonly --cert-name fddpreferred.com -d fddpreferred.com -d medaccessrx.com -d www.fddpreferred.com -d www.medaccessrx.com

(this is assuming that you would still like the medaccessrx.com domain to be covered by the fddpreferred.com certificate, which perhaps you don’t)

and

certbot certonly --cert-name medaccessrx.com -d medaccessrx.com -d www.medaccessrx.com

Once the certificates have been successfully re-issued without the non-public names, the certbot renew command will not try to cover those names for future renewals.

You need the --cert-name and the existing certificate name in order to cause Certbot to know it should re-issue and replace the certificate that it’s tracking (otherwise you get a kind of ugly and potentially confusing -0001 duplicate certificate with the new set of names).

I think that fixed it. Certbot can now automatically run whenever it’s time to renew and keep all of these domains updated. :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.