Problems with multiple wildcard domains

Hey guys, huge fan of this project since day one and truly believe this has made the web a better place for us all!

I run portainer serving a nginx reverse proxy and want to terminate ssl there. It serves two domains and a number of subdomains so I want to get a wildcart cert for the two.

My domain is: kanzie.com & levinilsson.com. I’m running the container from linuxserver and have configured it to the best of my understanding from the docs. I have spent the better part of the day trying to google my way to a solution but have to give up and ask for support here.

When running the certbot command the feedback is:
TZ=Europe/Berlin
URL=kanzie.com
SUBDOMAINS=wildcard
EXTRA_DOMAINS=levinilsson.com
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=kanzie@redacted.com
STAGING=false
2048 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for kanzie.com will be requested
EXTRA_DOMAINS entered, processing
Extra domains processed are: -d levinilsson.com
E-mail address entered: kanzie@redacted.com
dns validation via cloudflare plugin is selected

Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created

Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/levinilsson.com/fullchain.pem!
nerating new certificate (SIC)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for kanzie.com
dns-01 challenge for kanzie.com
dns-01 challenge for levinilsson.com
Waiting 10 seconds for DNS changes to propagate

Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/kanzie.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/kanzie.com/privkey.pem
    Your cert will expire on 2019-12-02. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

My web server is (include version):
nginx, using container from linuxserver.io. https://hub.docker.com/r/linuxserver/letsencrypt

The operating system my web server runs on is (include version):
Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

If I go to levinilsson.com I get a broken padlock because the certificate is registered for *.kanzie.com so it seems to be serving that primary cert for all requests indifferent of SNI?

Right now my server just died so I can’t access any of the configuration files but hope that this is enuogh for now to point me in the right direction or let me know what information I need to provide for you to be able and guide me towards a solution.

Hi,

The issue you are facing is really simple.
For the configuration and CT history, we could clearly see that you’ve get a certificate for the first domain (with wildcard), the second domain with only root…
So you just need to add a new domain with your wildcard second domain… To the conf file.

I believe what you should do (after reading the docs) is add
EXTRA_DOMAINS= levinilsson.com, *.levinilsson.com instead of EXTRA_DOMAINS= levinilsson.com.

You might need to tweak the above command a little bit in order to get it work. I’ll update (or try to update) this post when I found anything.

Thanks

Hi @kanzie

that’s bad. Revoking a certificate is only required if the private key is stolen. And deleting a used certificate may stop your webserver.

Looks like that client is bad.

You have a lot of correct certificates with wildcard and the main domain ( https://check-your-website.server-daten.de/?q=levinilsson.com#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-09-03 2019-12-02 *.kanzie.com, kanzie.com, levinilsson.com
3 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-09-01 2019-11-30 *.levinilsson.com, deluge.kanzie.com, kanzie.com, levinilsson.com, phpmyadmin.kanzie.com, www.kanzie.com
6 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-09-01 2019-11-30 kanzie.com, levinilsson.com, www.kanzie.com, www.levinilsson.com
4 entries duplicate nr. 1
CloudFlare Inc ECC CA-2 2019-08-31 2020-08-31 *.levinilsson.com, levinilsson.com, sni.cloudflaressl.com
3 entries
Let’s Encrypt Authority X3 2019-08-31 2019-11-29 *.levinilsson.com, levinilsson.com
2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-08-31 2019-11-29 *.kanzie.com, *.levinilsson.com, kanzie.com, levinilsson.com
4 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-08-19 2019-11-17 kanzie.com, levinilsson.com, www.kanzie.com, www.levinilsson.com
4 entries

Some have both versions - wildcard and main domain.

The newest is wrong. But if all older are revoked, you can’t use one of the older certificates.

Please read something about rate limits:

Working certificate -> create new + revoking the old -> creation doesn’t work -> you don’t have a valid certificate.

So use another client, not such a client.

Thanks for your reply, indeed the client seems to be a bit brutal in terms of how it handles a container restart because it seems to me the default action is revoke and re-request. I did not write the client but rely on what comes with the container, which is certbot so I doubt the client itself is bad, rather perhaps how they have set the default actions? Ill bring your post to the team of linuxserver.io’s attention.

As for the number of correct certificates that you listed it is indeed not what I want but the effect of trying to get the setup right. I’m confused however how it could be I have so many certificates issued at the same time as you mean the client is bad because it revokes and deletes certificates. Shouldn’t that prevent precisely the situation that we are looking at?

I summary, you highlight a number of problems which is appreciated but I don’t see any suggestions to the actual question I started with, which is how I should configure it to get it right. I will in the meantime try Stevenzhu’s suggestion as this seems the most logical. I doubt I will hit any of the rate limits but thanks for pointing out that they exists, not that I intentionally tried to exhaust them though.

Looking through the list of certs issued it seems like this one should have done the trick, but didn’t since I continuted to try different patterns out:

Any advice as to what I should do that is not just “client bad, use different” is appreciated!

Yes, that certificate is correct, there are both main domains and both wildcard domains. So create such a certificate again.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.