Question about extending a certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Domain is: ptchat.org

I ran this command:
certbot certonly --standalone -d isscloud.ptchat.org -d irc.ptchat.org

It produced this output:

You have an existing certificate that contains a portion of the domains you
requested (ref: /usr/local/etc/letsencrypt/renewal/isscloud.ptchat.org.conf)

It contains these names: isscloud.ptchat.org

You requested these names for the new certificate: isscloud.ptchat.org,
irc.ptchat.org.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate for isscloud.ptchat.org and irc.ptchat.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: irc.ptchat.org
  Type:   connection
  Detail: Fetching https://irc.ptchat.org/.well-known/acme-challenge/iOsLTXam5YZuvzctmqH0CNfOZr75fqqDy0xVDusuITo: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority couldn't exterally verify that the standalone plugin completed the required http-01 challenges. Ensure the plugin is configured correctly and that the changes it makes are accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
irrelevant, not running a webserver

The operating system my web server runs on is (include version):
FreeBSD 13

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.16.0

Hi,
So my question is the following, I'm running a server on isscloud.ptchat.org I have a valid cert for this hostname generated with certbot, no issues.
Now what happens is that customers connect using the address irc.ptchat.org that can resolve to any of these addresses:

;; ANSWER SECTION:
irc.ptchat.org. 1780 IN A 213.229.86.152
irc.ptchat.org. 1780 IN A 168.119.19.58
irc.ptchat.org. 1780 IN A 52.18.22.24
irc.ptchat.org. 1780 IN A 5.9.78.56
irc.ptchat.org. 1780 IN A 66.29.130.220

How should I generate/extend this certificate to include irc.ptchat.org?

Thank you!

Welcome to the Let's Encrypt Community, Ricardo

Is this a CDN/Gateway type of setup or load balancing or ? I suppose what I really want to know is if there is a single back end server responding for all requests to irc.ptchat.org. If so, then using the standalone authenticator on that server should be possible to satisfy an http-01 challenge. If not, then the best route is likely to use a dns authentication method to satisfy a dns-01 challenge.

Hi griffin thank you for your reply.
No its not a CDN/GW nor load balancing or sorts. Its an IRC server network, the servers behind irc.ptchat.org are all in sync, when a user tries to connect to irc.ptchat.org it will simply resolve to either one and connect. Its all DNS basically.

I'm actually not in charge of the ptchat.org domain, but I have close contact with who does. If considering the DNS option, there would have to be some hook to update the DNS TXT record I assume. But this would have to be available to all of the servers, since each server individually should have the domain irc.ptchat.org as well as its individual hostname.

The DNS records should be independent of the individual servers, which is what makes the dns-01 approach viable. The dns-01 challenge verifies control of the DNS records for irc.ptchat.org and not any particular server responding for irc.ptchat.org. The other benefit of a dns-01 challenge is that it can be run from any system that does not need to even be one of the actual servers.

The first challenge you will run into though is securely pushing certificates to all of the servers. You could run a dns-01 challenge from each server just so that certbot will save the private key and certificate files directly to that server and avoid the distribution problem. Given the duplicate certificate rate limit of 5 certificates per week for any specific set of domain names (just irc.ptchat.org here), you would want to stagger the certificate acquisitions of possible.

The second challenge is automating the DNS challenges. I see that irc.ptchat.org uses Namecheap for its DNS. This may be a great case for delegating the challenge to acme-dns.

I have a trick in mind to avoid the duplicate certificate problem. You can have each server request a certificate covering only its individual hostname using any authentication method, like it probably already is. Shortly (or immediately) afterwards, you can have each server request a certificate covering both its individual hostname and irc.ptchat.org. Since the acme account for each server will already have a validated authorization for the individual hostname, it won't need to be reverified. Thus, the dns-01 verification for irc.ptchat.org will be all that is necessary. Since the two domains covered for each server will be unique, there won't be a duplicate certificate problem.

Hi @griffin again thanks a lot for the welcoming here and for all your replies.
I was reading your answers and giving consideration to the possible bottlenecks of the process, in the meanwhile a thought came to mind:

would it be possible to have one server asking for the certificate for all the domains (isscloud.ptchat.org, rootsp.ptchat.org, irc.ptchat.org etc) there are 5 servers, and then use this certificate that includes all the domains on all the servers? would this be a viable approach? thank you for your feedback!

Do all five servers respond for all three FQDNs?

nah there are more fqdn's I just typed "etc" cause i didn't feel like typing them all down. they're individual servers, the only fqdn that is "shared" which isn't quite is a random DNS resolution as irc.ptchat.org has 5 A records and can resolve to any randomly. I was thinking of having one making DNS validation for all the fqdn's and a script to distribute the certs for each server, but maybe that'd be adding more complication.

That might actually be much simpler. There's nothing wrong with having "extra" names on a certificate that a particular server doesn't respond for. It greatly simplifies the acquisition process at the expense of needing the script for the secure distribution/installation process. If you're comfortable with that, it sounds like you have a solid plan. You wouldn't even need one of the actual servers to acquire the certificate. It could be done from your home computer (or whatever one you wish).

acme-dns lets you avoid needing to make dynamic changes to the dns records by delegating those changes to a different domain name. Sounds ideal with your setup. You could even run the acme-dns server on whatever machine on which you acquire the certificate.

Alright thanks a lot man gave me a number of fair points to consider! I'll take it to the admins of the other servers and see what they think about it, and if I get further questions I'll come back.

Thanks a lot for your time and your help! Cheers!

You are quite welcome!

Keep us posted.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.