Not sure what I have one wrong

Help
#1

Just got a wildcard cert for domain www works, root domain does not?
This works
https://www.fullymanagedhosting.com/

This does not work
https://fullymanagedhosting.com/

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fullymanagedhosting.com

I ran this command:

It produced this output:

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7.6.18

My hosting provider, if applicable, is: Blue Sky Hosting Ltd

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot-auto 0.34.2

#2

Hi @BlueSky

checking your domain via https://check-your-website.server-daten.de/?q=fullymanagedhosting.com

You have correct DNS entries:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
fullymanagedhosting.com A 213.129.70.38 yes 1 0
AAAA yes
www.fullymanagedhosting.com A 213.129.70.38 yes 1 0
AAAA yes

Your www works, your non-www not, you don't have redirects (you should add):

Domainname Http-Status redirect Sec. G
http://fullymanagedhosting.com/
213.129.70.38 200 0.070 H
http://www.fullymanagedhosting.com/
213.129.70.38 200 0.070 H
https://fullymanagedhosting.com/
213.129.70.38 200 0.657 N
Certificate error: RemoteCertificateNameMismatch
https://www.fullymanagedhosting.com/
213.129.70.38 200 0.453 B

The reason:

CN=*.fullymanagedhosting.com
	29.05.2019
	27.08.2019
expires in 90 days	*.fullymanagedhosting.com - 1 entry

A wildcard domain name doesn't work with the non-www version.

Create one certificate with both domain names:

certbot [yourOtherparameters] -d *.fullymanagedhosting.com -d fullymanagedhosting.com

and use that.

You have only one LE-certificate

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
937266243 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-29 09:06:34 2019-08-27 09:06:34 *.fullymanagedhosting.com - 1 entries duplicate nr. 1
645801994 CN=CloudFlare Inc ECC CA-2, O="CloudFlare, Inc.", L=San Francisco, C=US, ST=CA 2018-11-27 00:00:00 2019-11-27 12:00:00 *.fullymanagedhosting.com, fullymanagedhosting.com, sni.cloudflaressl.com - 3 entries

So there is no problem with a limit.

If you use --manual, you have to create two identical domain names with different values.

9. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
fullymanagedhosting.com ca3-a57e2f7d3bff47b58ba6ea0d4e5e3336 ok 1 0
www.fullymanagedhosting.com ok 1 0
_acme-challenge.fullymanagedhosting.com BvckXclllBBSOAeNCaC9u7uovci5RMMBj1asGWdCWgA looks good 1 0

The same name _acme-challenge, but a different value.

PS: Your chain is wrong:

Chain - incomplete	
	1	CN=*.fullymanagedhosting.com
	2	CN=ISRG Root X1, O=Internet Security Research Group, C=US
	3	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	4	CN=DST Root CA X3, O=Digital Signature Trust Co.

Your server should only send 1 + 3, not a root certificate.

1 Like
#3

Hi

Many thanks. have it working now

2 Likes
#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.