Question on wilcard and multiple domains

I generated a wildcard certificate using the below command:

certbot certonly
–dns-linode
–dns-linode-propagation-seconds 1000
-d *.domain1.com -d domain1.com

This works without any problem.

I have another domain hosted on the same server, domain2.com. I issued the same above command for domain2 and created another wildcard certificate without any error. But, this certificate for domain2.com doesn’t work properly.

SSLlabs check says “Certificate name mismatch. Try these other domain names (extracted from the certificates): xxx.domain1.com

xxx.domain1.com is the hostname of the server in /etc/hosts file. It seems to me that if I need a wildcard certificate for domain2.com, I should add a hostname, yyy.domain2.com to /etc/hosts file. Is it correct way of solving this problem? Or do I need to do anthing else?

Thanks in advance.

You need to understand SNI and how your web server applies specific names to individual virtual hosts.
Each host should have a specific (non-overlapping) set of name(s) it will serve.
When an exact name match is NOT found the default virtual host config is used.
So I guess you don’t have a host for domain2 and domain1 is the default.

Thank you for your hints.

A close look shows that my problem lies somewhere else. My new domain is wintess-software.com. SSLLabs report that my new domain wintess-software.com has a certificate name mismatch with winsvr.wintess.com. Yes, wintess.com also belongs to me, but resides on a different server with different IP. On top of this, a hostname of winsvr.wintess.com doesn’t exist in DNS records.

I scanned new server to check if winsvr.wintess.com exists anywhere in /etc folder. And it found it in /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/e54732689f6ca87b0a826216b9abd68a/meta.json

So, thinking that I mis-typed domain name while creating cert, I revoked and deleted certificates for wintess-software.com. Also, deleted all /etc/letsencrypt folder. Then, successfully created wildcard certificate again for wintess-software.com.

To my dismay, checking SSLLabs gives the same error again. Common name and SAN for mail.wintess-software.com is still winsvr.wintess.com.

Probably, I made a mistake and stuck with winsvr.wintess.com which doesn’t even exist. How can I get rid of it? Or is it just a propagation delay like DNS records?

Please don’t revoke certificates for these reasons - just delete them.

That problem is within your web server.
Again, you need to understand SNI …
[read my first post]

But, winsvr.wintess.com doesn’t even exist anywhere. At least, I can’t find how LE process invented and inserted it in the process from nowhere?

I am no an expert, but mail.wintess-software.com has nothing to do with web server. All the other subdomains (*.wintess-software.com) work without any problem with the webserver. Problem is with mail subdomain which of course has no virtual host entry for apache conf.

Hi @sse450

you have installed the wrong certificate. If you have created such a certificate, you can use it with the wrong domain name. That’s what you are doing.

Install the correct certificate (or create one and install it).

Many thanks for taking time to support.

I created with “-d *.wintess-software.com -d wintess-software.com” using dns-01 challenge. Everything works with subdomain.wintess-software.com as long as “subdomain” is defined with an A record. Only, mail.wintess-software.com is not working as it clashes with winsvr.wintess.com.

Now, I am creating explicitly mail.wintess-software.com. Let’s see what will happen.

Spoke too soon. subdomain.wintess-software.com not working as well. OK. So, I understand that the cert is wrong. I revoked and deleted all the existing certificates. And created again. But, LE created the new certificates with the same date of deleted certificates. It has the same problem.

How can I create a fresh new certificate with new date?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.