Problems with multiple wildcard domains

Hey guys, huge fan of this project since day one and truly believe this has made the web a better place for us all!

I run portainer serving a nginx reverse proxy and want to terminate ssl there. It serves two domains and a number of subdomains so I want to get a wildcart cert for the two.

My domain is: & I’m running the container from linuxserver and have configured it to the best of my understanding from the docs. I have spent the better part of the day trying to google my way to a solution but have to give up and ask for support here.

When running the certbot command the feedback is:
2048 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for will be requested
EXTRA_DOMAINS entered, processing
Extra domains processed are: -d
E-mail address entered:
dns validation via cloudflare plugin is selected

Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created

Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/!
nerating new certificate (SIC)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for
dns-01 challenge for
Waiting 10 seconds for DNS changes to propagate

Waiting for verification…
Cleaning up challenges


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2019-12-02. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

My web server is (include version):
nginx, using container from

The operating system my web server runs on is (include version):
Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don’t know):

If I go to I get a broken padlock because the certificate is registered for * so it seems to be serving that primary cert for all requests indifferent of SNI?

Right now my server just died so I can’t access any of the configuration files but hope that this is enuogh for now to point me in the right direction or let me know what information I need to provide for you to be able and guide me towards a solution.


The issue you are facing is really simple.
For the configuration and CT history, we could clearly see that you’ve get a certificate for the first domain (with wildcard), the second domain with only root…
So you just need to add a new domain with your wildcard second domain… To the conf file.

I believe what you should do (after reading the docs) is add

You might need to tweak the above command a little bit in order to get it work. I’ll update (or try to update) this post when I found anything.


Hi @kanzie

that’s bad. Revoking a certificate is only required if the private key is stolen. And deleting a used certificate may stop your webserver.

Looks like that client is bad.

You have a lot of correct certificates with wildcard and the main domain ( ):

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-09-03 2019-12-02 *,,
3 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-09-01 2019-11-30 *,,,,,
6 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-09-01 2019-11-30,,,
4 entries duplicate nr. 1
CloudFlare Inc ECC CA-2 2019-08-31 2020-08-31 *,,
3 entries
Let’s Encrypt Authority X3 2019-08-31 2019-11-29 *,
2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-08-31 2019-11-29 *, *,,
4 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-08-19 2019-11-17,,,
4 entries

Some have both versions - wildcard and main domain.

The newest is wrong. But if all older are revoked, you can’t use one of the older certificates.

Please read something about rate limits:

Working certificate -> create new + revoking the old -> creation doesn’t work -> you don’t have a valid certificate.

So use another client, not such a client.

Thanks for your reply, indeed the client seems to be a bit brutal in terms of how it handles a container restart because it seems to me the default action is revoke and re-request. I did not write the client but rely on what comes with the container, which is certbot so I doubt the client itself is bad, rather perhaps how they have set the default actions? Ill bring your post to the team of’s attention.

As for the number of correct certificates that you listed it is indeed not what I want but the effect of trying to get the setup right. I’m confused however how it could be I have so many certificates issued at the same time as you mean the client is bad because it revokes and deletes certificates. Shouldn’t that prevent precisely the situation that we are looking at?

I summary, you highlight a number of problems which is appreciated but I don’t see any suggestions to the actual question I started with, which is how I should configure it to get it right. I will in the meantime try Stevenzhu’s suggestion as this seems the most logical. I doubt I will hit any of the rate limits but thanks for pointing out that they exists, not that I intentionally tried to exhaust them though.

Looking through the list of certs issued it seems like this one should have done the trick, but didn’t since I continuted to try different patterns out:

Any advice as to what I should do that is not just “client bad, use different” is appreciated!

Yes, that certificate is correct, there are both main domains and both wildcard domains. So create such a certificate again.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.