Not sure what I have one wrong

Just got a wildcard cert for domain www works, root domain does not?
This works

This does not work

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7.6.18

My hosting provider, if applicable, is: Blue Sky Hosting Ltd

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot-auto 0.34.2

Hi @BlueSky

checking your domain via

You have correct DNS entries:

Host T IP-Address is auth. ∑ Queries ∑ Timeout A yes 1 0
AAAA yes A yes 1 0
AAAA yes

Your www works, your non-www not, you don't have redirects (you should add):

Domainname Http-Status redirect Sec. G 200 0.070 H 200 0.070 H 200 0.657 N
Certificate error: RemoteCertificateNameMismatch 200 0.453 B

The reason:

expires in 90 days	* - 1 entry

A wildcard domain name doesn't work with the non-www version.

Create one certificate with both domain names:

certbot [yourOtherparameters] -d * -d

and use that.

You have only one LE-certificate

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
937266243 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-29 09:06:34 2019-08-27 09:06:34 * - 1 entries duplicate nr. 1
645801994 CN=CloudFlare Inc ECC CA-2, O="CloudFlare, Inc.", L=San Francisco, C=US, ST=CA 2018-11-27 00:00:00 2019-11-27 12:00:00 *,, - 3 entries

So there is no problem with a limit.

If you use --manual, you have to create two identical domain names with different values.

9. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout ca3-a57e2f7d3bff47b58ba6ea0d4e5e3336 ok 1 0 ok 1 0 BvckXclllBBSOAeNCaC9u7uovci5RMMBj1asGWdCWgA looks good 1 0

The same name _acme-challenge, but a different value.

PS: Your chain is wrong:

Chain - incomplete	
	1	CN=*
	2	CN=ISRG Root X1, O=Internet Security Research Group, C=US
	3	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	4	CN=DST Root CA X3, O=Digital Signature Trust Co.

Your server should only send 1 + 3, not a root certificate.

1 Like


Many thanks. have it working now


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.