Only being issued with cert with example.org

weiyentan · February 10, 2021, 3:11am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
Some of the domains that I have are is
https://kibana.tanscloud.com
I ran this command:
I use letsencrypt in a container that has traefik and it is producing certificates with example.org. and it is not being validated by letsencrypt.
It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
I'm hosting my own
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): i use traefik in kubernetes which has the letsencrypt in traefik.

I am wondering whether this is because of the issue that is going at the moment with the secondary certvalidation?

In my attempts to troubleshoot it I attempted to rename the acme.json. I wonder if I have caused an issue to get a new cert? Many thanks.

rg305 · February 10, 2021, 3:19am

I see that "traefik" responds to http and https.
I'm not too familiar with it.
Can you show the configuration, and how it handles certificates?

weiyentan · February 10, 2021, 4:01am

Thank you for the reply.

I do get a certificate but it is issued from example.org.

My setting are:
[ping]
entryPoint = "http"
[kubernetes]
[traefikLog]
format = "json"
[acme]
KeyType = "RSA4096"
email = "xxxxxxx@gmail.com"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
acmeLogging = true
[acme.httpChallenge]

We just supply an ingress and Lets Encrypt handles the rest. I did however create a wrong host entry on the ingress and because I use http challenge I may have triggered a setting or something?

weiyentan · February 10, 2021, 4:20am

So I restored my previous acme.json as i have a backup. My existing certificates that were generated previously are now working, but any new certs are now having issues.....

rg305 · February 10, 2021, 4:56am

Can you show how traefik handles the inbound http and https requests?

weiyentan · February 10, 2021, 7:55am

I am still picking it up myself but Here is a diagram on how it works. I have a router that portforwards 443 and 80 to traefik. everytime I create a ingress for my container in kubernetes traefik creates a frontend. As soon as traefik creates the front end letsencrypt spins up a certificate and does it magic and authentication.

I am getting a certificate but it is being signed by example.org instead of my my domain name.

weiyentan · February 10, 2021, 8:18am

I wonder if it is related to this?

rg305 · February 10, 2021, 8:22am

LOVE the diagram!

That degradation can't possibly cause traefik to serve the wrong cert.
That said, I dont see the wrong cert:
openssl s_client -connect kibana.tanscloud.com:443 -servername kibana.tanscloud.com
returns:

CONNECTED(00000190)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
Server did acknowledge servername extension.
---
Certificate chain
 0 s:/CN=kibana.tanscloud.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGMDCCBRigAwIBAgISBCvL02vuFPsoMlsvDhnDcXfWMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMDEyMjQyMTA5MzNaFw0yMTAzMjQyMTA5MzNaMB8xHTAbBgNVBAMT
FGtpYmFuYS50YW5zY2xvdWQuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAySmSuc+nS0nYJVodLtE0jBiRUNVEMVY74GRSMcg0rD07qlUTV1V23pUM
1xm/OJM4I/vqLVCFDpmfznn7bWmxzEw+KqTnsgRa32pNTBvk+T1McKbA8QOCUZLP
d2urkXjb3dck7kbyAT0C2g7yXtdqvz4HfL5nEstoPk8UqxJ6R1FAfHw0COCGxtxA
OSTrpcuMb2rOwQZJduXeLbowJo4ISdHsuKrIjnXEO3ejAFyoxcHKLfdGIAavrvnG
REQWYL5cnRDM03DwVGKBQ0FN2/72DMXcEm+TZyjUsleNgiAclWlV6X4E4j95gzxw
6SDmf1J0lYZxJWdMkthBtYhHHtR7MPkc7A7EyzNlx6nqQIjYt6Au8TQwhQhBW9WL
K/PYJ5v0NujckCypr4/w6rkxJI0UO6Kv8XxnZao5m8SZuu5t3nKtMQ236BaCvoSX
9ZLZDjh74AAaLEkM9FI34xvzHs+V0caAbv5Qsud8NA6hsy1vsIpfg8i5p+8tbIR7
xaUD4I892UMLn6dI8eC5RwL3kiYaIMmACxXY1+e1r8qwX1Ht8GgoV3USowp0pFeU
sLMYshmkFHoXwlCJMeFTsi/jxWnlCV7tiaA3AAGWKLp35gaYgDX6qt+psakaPodg
CXRhCN3Fpp7V1H4xbGrXXWsbHVA3mBM0xM81R5ivl5TvZAs7bD8CAwEAAaOCAlEw
ggJNMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU/RLPNR8LnaiGRZDdoay91BwUBOgw
HwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBH
MCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHwYDVR0RBBgwFoIUa2liYW5hLnRhbnNj
bG91ZC5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAm
BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEGBgorBgEE
AdZ5AgQCBIH3BIH0APIAdwCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h204vWE2i
wgAAAXaWzM9wAAAEAwBIMEYCIQDtAUAA4R4IHvf0HLCAVOpDXa5L4x13oUSSPwmV
EdRfkgIhAJpnz9pmZBlw7VYF/Enf+WfnAyM3GKnXJBT2LMiG8y+1AHcAfT7y+I//
iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF2lszPlwAABAMASDBGAiEA3LQO
rwJp8qzrodlK0bl2xEcFM72FjhXdN87dpRSru+4CIQDF+bA7g1I36KasVc03NpuE
IsRsn5d2QuNoo56W38h8OjANBgkqhkiG9w0BAQsFAAOCAQEACxhV84ItAQ40XbMw
UF7qNCsnoc8bgN4aJH8rkLLt2wC86atc40tT1fqsXzaCNkij1qbfeUnIO6Rr+siL
W2JM0TX1eYHwnwivySrbqebha/ZGUtDAEeqSmksu5YNjYyJKyDTn3+dGdxnABr1x
w2/SAELG7+6jdlVUz18qN3W5qkJ75bUBU8jbV46OqUhQvr2QNI2iep7D+vkG5z/q
DVppOK/iRGm71BiSy7SXF0KFMP67TDhXRFQLgQyHYMYnRL498Fjtupxbvqjq7CZA
b6vGWPx5xYRI0nGIjKkuDNBM1Hd9YC8Vv6/46uF7/o8ZjV1rUeKLae4uKkcLxEwM
jW8umw==
-----END CERTIFICATE-----
subject=/CN=kibana.tanscloud.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
...

rg305 · February 10, 2021, 8:24am

I do see the *.example.com only when SNI is NOT used [or a unmatched SNI name is used]:
Like:
openssl s_client -connect kibana.tanscloud.com:443 -servername non.existent.domain

openssl s_client -connect kibana.tanscloud.com:443
CONNECTED(00000190)
depth=0 C = US, ST = Colorado, L = Boulder, O = ExampleCorp, OU = IT, CN = *.example.com, emailAddress = admin@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Colorado, L = Boulder, O = ExampleCorp, OU = IT, CN = *.example.com, emailAddress = admin@example.com
verify error:num=10:certificate has expired
notAfter=Oct 24 21:09:52 2017 GMT
verify return:1
depth=0 C = US, ST = Colorado, L = Boulder, O = ExampleCorp, OU = IT, CN = *.example.com, emailAddress = admin@example.com
notAfter=Oct 24 21:09:52 2017 GMT
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Colorado/L=Boulder/O=ExampleCorp/OU=IT/CN=*.example.com/emailAddress=admin@example.com
   i:/C=US/ST=Colorado/L=Boulder/O=ExampleCorp/OU=IT/CN=*.example.com/emailAddress=admin@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEmzCCA4OgAwIBAgIJAJAGQlMmC0kyMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD
VQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xEDAOBgNVBAcTB0JvdWxkZXIxFDAS
BgNVBAoTC0V4YW1wbGVDb3JwMQswCQYDVQQLEwJJVDEWMBQGA1UEAxQNKi5leGFt
cGxlLmNvbTEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20wHhcNMTYx
MDI0MjEwOTUyWhcNMTcxMDI0MjEwOTUyWjCBjzELMAkGA1UEBhMCVVMxETAPBgNV
BAgTCENvbG9yYWRvMRAwDgYDVQQHEwdCb3VsZGVyMRQwEgYDVQQKEwtFeGFtcGxl
Q29ycDELMAkGA1UECxMCSVQxFjAUBgNVBAMUDSouZXhhbXBsZS5jb20xIDAeBgkq
hkiG9w0BCQEWEWFkbWluQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAtuJ9mww9Bap6H4NuHXLPzwSUdZi4bra1d7VbEBZYfCI+Y64C
2uu8pu3aU5sauMbD97jQaoyW6G98OPreWo8oyfndIctErlnxjqzU2UTV7qDTy4nA
5OZeoReLfeqRxllJ14Via5QdgywGLhE9jg/c7e4YJznh9KWY2qcVxDuGD3iehsDn
aNzV4WF9cIfms8zwPvONNLfsAmw7uHT+3bK13IIhx27fevquVpCs41P6psu+VLn2
5HDy41thBCwOL+N+albtfKSqs7LAs3nQN1ltzHLvy0a5DhdjJTwkPrT+UxpoKB9H
4ZYk1+EDt7OPlhyo3741QhN/JCY+dJnALBsUjQIDAQABo4H3MIH0MB0GA1UdDgQW
BBRpeW5tXLtxwMroAs9wdMm53UUILDCBxAYDVR0jBIG8MIG5gBRpeW5tXLtxwMro
As9wdMm53UUILKGBlaSBkjCBjzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9y
YWRvMRAwDgYDVQQHEwdCb3VsZGVyMRQwEgYDVQQKEwtFeGFtcGxlQ29ycDELMAkG
A1UECxMCSVQxFjAUBgNVBAMUDSouZXhhbXBsZS5jb20xIDAeBgkqhkiG9w0BCQEW
EWFkbWluQGV4YW1wbGUuY29tggkAkAZCUyYLSTIwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQUFAAOCAQEAcGXMfk8NZsB+t9KBzl1Fl6yIjEkjHO0PVUlEcSD2B4b7
PxnMOjdmgPrauHb9unXEaL7zyAqaD6tbXWU6RxCAmgLajVJNZHOw45N0hrDkWgB8
EvZtQ56ammwC1qIhAiA6390D3Csex7gL6nJo7kbr1YWUG3zIvoxdz8YDrZNeWKLD
pRvWen0lMbpjIRP4XZsnC45C9gVXdh3LRe1+wyQq6h9QPiloxmD6NpE9imTOn2A5
/bJ3VKIzAMudeU6kpyYlJBzdG1uaHTjQOWosGiweCKVUXF6UtisVddrxQth6ENyW
vIFqaZx84+DlSCc93yfk/GlBt+SKG46zEHMB9hqPbA==
-----END CERTIFICATE-----
subject=/C=US/ST=Colorado/L=Boulder/O=ExampleCorp/OU=IT/CN=*.example.com/emailAddress=admin@example.com
issuer=/C=US/ST=Colorado/L=Boulder/O=ExampleCorp/OU=IT/CN=*.example.com/emailAddress=admin@example.com
---
...

weiyentan · February 10, 2021, 8:27am

That's because I restored the acme.json. Try https://tautulli.tanscloud.com/

weiyentan · February 10, 2021, 8:38am

I tested by recreating the acme.json file. When i did recreate the acme.json file, the Web sites that used to work now come back as example.org. When I restore the acme.json file that worked all the existing certs work but the newly generated one does not...

rg305 · February 10, 2021, 8:50am

Can you show the json file that fails?
[If there is anything private in it, please obfuscate, or redact, that info - before posting]

weiyentan · February 10, 2021, 9:02am

There is certificate details with my domain details. Shall I still send? Or can I send to you?

rg305 · February 10, 2021, 9:05am

If it contains the private key, then NO.
Don't ever send a private key to anyone or post it anywhere.
Simply cut that part out and replace it with:
"this part contains my private key"

weiyentan · February 10, 2021, 9:23am

This very telling. I backed up my acme.json , nerfed it and restarted the container.

I get this in my container logs
{"level":"debug","msg":"Try to challenge certificate for domain [requests.tanscloud.com] founded in Host rule","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Try to challenge certificate for domain [codeserver.tanscloud.com] founded in Host rule","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Try to challenge certificate for domain [traefik.tanscloud.com] founded in Host rule","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Try to challenge certificate for domain [gateway.tanscloud.com] founded in Host rule","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Try to challenge certificate for domain [radarr.tanscloud.com] founded in Host rule","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Try to challenge certificate for domain [kibana.tanscloud.com] founded in Host rule","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Try to challenge certificate for domain [sonarr.tanscloud.com] founded in Host rule","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Try to challenge certificate for domain [tautulli.tanscloud.com] founded in Host rule","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Try to challenge certificate for domain [artifacts.tanscloud.com] founded in Host rule","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Looking for provided certificate(s) to validate ["artifacts.tanscloud.com"]...","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"No ACME certificate generation required for domains ["artifacts.tanscloud.com"].","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Looking for provided certificate(s) to validate ["requests.tanscloud.com"]...","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"No ACME certificate generation required for domains ["requests.tanscloud.com"].","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Looking for provided certificate(s) to validate ["codeserver.tanscloud.com"]...","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"No ACME certificate generation required for domains ["codeserver.tanscloud.com"].","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Looking for provided certificate(s) to validate ["traefik.tanscloud.com"]...","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"No ACME certificate generation required for domains ["traefik.tanscloud.com"].","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Looking for provided certificate(s) to validate ["gateway.tanscloud.com"]...","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"No ACME certificate generation required for domains ["gateway.tanscloud.com"].","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Looking for provided certificate(s) to validate ["radarr.tanscloud.com"]...","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"No ACME certificate generation required for domains ["radarr.tanscloud.com"].","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Looking for provided certificate(s) to validate ["kibana.tanscloud.com"]...","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"No ACME certificate generation required for domains ["kibana.tanscloud.com"].","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Looking for provided certificate(s) to validate ["sonarr.tanscloud.com"]...","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"No ACME certificate generation required for domains ["sonarr.tanscloud.com"].","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"Looking for provided certificate(s) to validate ["tautulli.tanscloud.com"]...","time":"2021-02-10T09:15:50Z"}

2/10/2021 10:15:50 PM {"level":"debug","msg":"No ACME certificate generation required for domains ["tautulli.tanscloud.com"].","time":"2021-02-10T09:15:50Z"}

and this in my acme.json:

{
"Account": {
"Email": "weiyen.tan@gmail.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:weiyen.tan@gmail.com"
]
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/112280964"
},
"PrivateKey": private key
"KeyType": "4096"
},
"Certificates": null,
"HTTPChallenges": {},
"TLSChallenges": {}
}

weiyentan · February 10, 2021, 9:26am

Apologies about formatting. I am a bit new to the interface.

rg305 · February 10, 2021, 9:35am

I'm not familiar with how this should be setup to work.
I see minor differences in that some domains are enclosed in quotes and some are not.
But they seem to come from different logged messages.

The first group of messages shows:
Try to challenge certificate for domain [{domain}] founded in Host rule
[not sure if this is just a log entry for a routine action or an actual error/concern]

The second group of messages shows:
Looking for provided certificate(s) to validate
&
No ACME certificate generation required for domains
[Not sure but it sounds like it doesn't need to even try to renew the checked domain - probably not close enough to expiration yet]

But, again, I'm not a traefik expert.

As for the formatting, if you enclose the "difficult text" within three backticks - that usually does the trick.
Like:

```
funky text with much
indents and such
```

weiyentan · February 10, 2021, 9:55am

Ahh those entries you mention is the container spinning up. Https://tautulli.tanscloud.com never got a proper cert. What I will do is to flick back to the old acme.json but try a new host name. I suspect that because I tried to get the cert too many times let's encrypt is not giving a new one.

weiyentan · February 10, 2021, 10:18am

ok so i loaded in a newhost brought in the necessary values:


{"level":"debug","msg":"Domains [\"plexmonitoring.tanscloud.com\"] need ACME certificates generation for domains \"plexmonitoring.tanscloud.com\".","time":"2021-02-10T10:12:32Z"}

{"level":"debug","msg":"Loading ACME certificates [plexmonitoring.tanscloud.com]...","time":"2021-02-10T10:12:32Z"} 
{"level":"info","msg":"legolog: [INFO] [plexmonitoring.tanscloud.com] acme: Obtaining bundled SAN certificate","time":"2021-02-10T10:12:32Z"}

we can see that its loading in the certs. but wheni browse the website it says it is insecure....

Is there anything marked against my username in letsencrypt?

danb35 · February 10, 2021, 10:49am

It also doesn't have a DNS entry:

 dan@Dan-Hack-Mini  ~  curl https://tautulli.tanscloud.com/
curl: (6) Could not resolve host: tautulli.tanscloud.com

Codeserver works. Plexmonitoring works. Radarr works, but it doesn't redirect http->https. Same with traefik, gateway, and in fact everything else except tautulli--which fails because of the aforementioned DNS problem. Everything else has a cert, and serves the right cert, if you specify https, but none of them redirect to https.