SAN with subdomain cannot be found

ytne · April 24, 2019, 2:07am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

^ With that being said, I would prefer my domain not be posted in a publicly searchable forum where bots crawl.

My domain is:
my.domain.com
domain.org
plex.domain.org

I ran this command:
certbot certonly --webroot -w /var/www -d my.domain.com -d domain.org -d plex.domain.org

It produced this output:
root@machine1:/folder/path/to/root# certbot certonly --webroot -w /var/www -d my.domain.com -d domain.org -d plex.domain.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/my.domain.com.conf)

It contains these names: my.domain.com, domain.org

You requested these names for the new certificate: my.domain.com,
domain.org, plex.domain.org.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for plex.domain.org
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. plex.domain.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://plex.domain.org/.well-known/acme-challenge/zrOcdTxrRVV6EVf0_j-BC26MeGxzlHbx2Vt8ycrnvAk [my.ip.address.here]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: plex.domain.org
   Type:   unauthorized
   Detail: Invalid response from
   http://plex.domain.org/.well-known/acme-challenge/zrOcdTxrRVV6EVf0_j-BC26MeGxzlHbx2Vt8ycrnvAk
   [my.ip.address.here]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
root@machine1:/folder/path/to/root# dig plex.domain.org

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> plex.domain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43117
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;plex.domain.org.             IN      A

;; ANSWER SECTION:
plex.domain.org.      1798    IN      A       my.ip.address.here

;; Query time: 118 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 23 18:30:37 PDT 2019
;; MSG SIZE  rcvd: 62

root@machine1:/folder/path/to/root# dig domain.org

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> domain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18326
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;domain.org.                  IN      A

;; ANSWER SECTION:
domain.org.           179     IN      A       my.ip.address.here

;; Query time: 106 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 23 18:30:41 PDT 2019
;; MSG SIZE  rcvd: 57

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 18.04.2 LTS

My hosting provider, if applicable, is:
Linux rtorrent 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot --version
certbot 0.31.0

I have waited an hour since creating the A record, and am still receiving this message. There is no trace for the certificate listing search tool, as this is a new sub-domain certificate request (and it’s erroring anyways).

jmorahan · April 24, 2019, 11:24pm

Is the subdomain really using the same webroot /var/www as the main website? If not you probably need to specify a different one for that subdomain e.g.

certbot certonly --webroot -w /var/www -d my.domain.com -d domain.org -w /srv/plex/www -d plex.domain.org

or whatever the webroot directory is.

system · May 24, 2019, 11:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.