Not Secure after certificate was issued

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: welooop.com

I ran this command: sudo certbot certonly --manual --preferred-challenges=dns
--email welooop@welooop.com
--server https://acme-v02.api.letsencrypt.org/directory
--work-dir=. --config-dir=. --logs-dir=.
--agree-tos
-d *.welooop.com

It produced this output: completed successfully

My web server is (include version): I don't know

The operating system my web server runs on is (include version): I don't know

My hosting provider, if applicable, is: Oracle Cloud Infrastructure

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2

Sorry really new here... Please help, really appreciate it:

I issued this cmd:
sudo certbot certonly --manual --preferred-challenges=dns
--email welooop@welooop.com
--server https://acme-v02.api.letsencrypt.org/directory
--work-dir=. --config-dir=. --logs-dir=.
--agree-tos
-d *.welooop.com

Everything went OK, but when I went to
https://welooop.com/ords/apex ==> it says "Not Secure"
Then:
This server could not prove that it is welooop.com ; its security certificate is from *.welooop.com . This may be caused by a misconfiguration or an attacker intercepting your connection.

It seems like I should really issue:
"-d welooop.com,*.welooop.com"
instead of "-d *.welooop.com"
in the command mentioned above.

How do I fix this? I am not familiar with this area, please provide exact syntax.

Thank you! Thank you!! Thank you!!!

WeLooop

Correct.

Hi, Osiris,

Thank you! how do I fix it? Please help, Thank you! Truly appreciate it.

You re-run the command with the -d option as you show it. Otherwise, please explain what new thing needs fixing.

Oh, I thought there would be some command like:
"please add welooop.com to the certificate issued to *.welooop.com"
If this method existed, then I wouldn't worry about re-configure my load balancer in Oracle Cloud.

If the method doesn't exist, then I can certainly issued a new command:
sudo certbot certonly --manual --preferred-challenges=dns
--email welooop@welooop.com
--server https://acme-v02.api.letsencrypt.org/directory
--work-dir=. --config-dir=. --logs-dir=.
--agree-tos
-d welooop.com,*.welooop.com
Then I get a new (and second) certificate, do the validation again, upload the new certificate to Oracle Cloud, that's all fine. I just want to make sure the best way of doing it.

If I get the second certificate which covers welooop.com and *.welooop.com, what do I do with the first certificate? just let it expire?

I am new to this SSL certificate, sorry for the silly questions. Really appreciate your help!

WeLooop

Unfortunately not.

Your Certbot should recognise the already existing certificate for welooop.com and ask you if you'd want to update the existing certificate by adding the wildcard hostname. If it doesn't, you can use --cert-name to "overwrite" the already existing certificate.

When modifying an existing certificate, you always get a brand new certificate. So one way or another, you're always required to upload the new certificate to Oracle Cloud. The cert already existing in Oracle Cloud cannot be updated magically somehow, that requires re-uploading a (new and updated) cert.

Thank you! Thank you!! Let me try and I will report back to you soon.

Keep in mind the certs expire in 90 days and Let's Encrypt recommend renewing 30 days before expiry. So, you'll need to repeat this every 60 days or so.

Some method other than --manual is best to automate renewals. If you can't automate with your DNS provider you could switch to one that supports an API for that.

And, yes, you just let old certs expire.

It's also possible to add a CNAME for _acme-challenge pointing to a hostname with a different domain which is hosted on a DNS provider with easy automation (e.g. acme-dns) or even an NS record pointing e.g. to Cloudflare. You'd need to add your domain to Cloudflare too, but wouldn't necessarily switch entirely. Just add the domain to Cloudflare, authenticate it somehow (dunno what CF requires for that exactly) and not use Cloudflares nameservers for the entire domain (i.e.: don't add the CF nameservers to the "upstream" TLD nameservers), but only use the CF nameservers for the _acme-challenge subdomain in NS records.

That said, if Oracle Cloud doesn't offer any automated way to update the certificate, the entire process wouldn't be automatable anyway..

Wow, Yahoooooo... It worked! But let me document what happened, then followed by new questions.

I issued:

sudo certbot certonly --manual --preferred-challenges=dns \

--email welooop@welooop.com
--server https://acme-v02.api.letsencrypt.org/directory
--work-dir=. --config-dir=. --logs-dir=.
--agree-tos
-d welooop.com,*.welooop.com

I got:

Saving debug log to /home/ubuntu/archive/welooop.com/letsencrypt.log

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: Y
Account registered.
Requesting a certificate for welooop.com and *.welooop.com

Please deploy a DNS TXT record under the name:
_acme-challenge.welooop.com.
with the following value:
UVXbHCjJGno7wsV9hP9P...Rs0gZZvHc

Press Enter to Continue
So I went to my Domain Admin -- "Google Domains". Two things here:
(1) record name: it says: "_acme-challenge.welooop.com." The ending period "." should not be there, otherwise Google Domains says "invalid"
(2) the record name I typed into Google Domains should be "_acme-challenge", if I copy and paste "_acme-challenge.welooop.com" it will become "_acme-challenge.welooop.com.welooop.com".
I found those two things out yesterday, OK move on.

I couldn't save 2 records with the same record name, so before I saved the new one, I deleted the old one yesterday which was for verifying "*.welooop.com", but when I enter to continue, I got:

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: Dig (DNS lookup).
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

Duh, why didn't you say so in the first place? But anyway I couldn't save 2 records with the same name. Apparently it failed.

Then it failed one more time, it succeeded on the third try. Then I uploaded the certificate to Oracle Cloud... from there it worked like a charm...

Thank you a million!

I will have a question shortly...

Regarding auto renewal:
On the Let's Encrypt side, the command I used is with "--manual", would it be automatic if I omitted "--manual"? or is there another switch "--automatic"?

If the answer is no, is the link (using cron job) below a good way to renew?

You have a great point that if Oracle Cloud doesn't supply a way, then the whole thing wouldn't be automatic. I don't know that answer, I will check with Oracle Cloud.

Thank you for your answer!!!

Can't you place two values for that same TXT record ? I don't use Google Domains myself but I'm pretty sure you can.

It worked after several tries because authentications for a domain for a specific requesting account are cached for 30 days. So, one of your earlier tries was successful for just one and a later try for the other.

No, the whole thing wouldn't be automatic w/out Oracle Cloud interaction but automating the cert renewal without manually updating TXT records has value.

Good point, I didn't realize that, I will try next time

Nope. Certbot wouldn't know how to re-do the challenges, which is required for renewing. So nothing automatic unless you actually instruct Certbot with something which is actually automatable. And the dns-01 challenge is relatively hard to automate, as not every DNS provider has an API to automate the adding and removing of the token.

Which begs the question: do you actually need the wildcard?

No, the manual plugin cannot use the certbot renew function as that would require Certbot to run without user input, while the manual plugin (without hooks) requires user input.. So those two are mutually exclusive.

Yes, absolutely, so next time I issue the same cmd without "--manual" switch?

What I meant was after today's manual certificate expires, I will get a new certificate, using the cmd I used today but without "--manual" switch, then use the cron job mentioned in the link to renew? Even though it is called "renewal", it is actually a new certificate, then there is a need to upload (or so called "update") to Oracle, am I thinking it the right way?

That's not possible. When using --manual (without hooks), the only way to "renew" the certificate is by running the exact same command, with --manual, again.

This part you're correct.

This is the section of Certbot docs related to DNS plug-ins
Each plug-in has further instructions in its config and certbot commands
https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins

But, as Osiris noted, if you don't need a wildcard you could use the HTTP Challenge instead (probably). This is usually easier. The HTTP Challenge requires port 80 to be available to a webserver which you don't have at the moment (your port 80 looks blocked by a firewall or something). Without wildcard you just list the specific domain names you need with the -d option