Ssl wildcard installation is successful but its not working as expected

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: goingplaces.me

I ran this command: sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d goingplaces.me -d *.goingplaces.me --manual --preferred-challenges dns-01 certonly

It produced this output:

Press Enter to Continue
        Waiting for verification...
        Cleaning up challenges
        IMPORTANT NOTES:
         - Congratulations! Your certificate and chain have been saved at:
           /etc/letsencrypt/live/goingplaces.me-0001/fullchain.pem
           Your key file has been saved at:
           /etc/letsencrypt/live/goingplaces.me-0001/privkey.pem
           Your cert will expire on 2018-12-22. To obtain a new or tweaked
           version of this certificate in the future, simply run certbot
           again. To non-interactively renew *all* of your certificates, run
           "certbot renew"
         - If you like Certbot, please consider supporting our work by:

           Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
           Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):
nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

Problem:
I got confirmation that certificate was issued. Its working fine on main domain https://goingplaces.me/ however whenever I am trying to access subdomain, e.g. https://conquistadorjd.goingplaces.me/, I am getting privacy error i.e. ssl is not working fine on the subdomain.
here is the screenshot

2018-09-23%2011-00-06%20wildcard%20domain%20ssl%20issue
2018-09-23 11-00-06 wildcard domain ssl issue.png915Ă—339 17.9 KB

2

Hi,

Do you have a ssl/tls/ port 443 virtual host that listens on that subdomain? You’ll need to install the certificate on all virtual hosts that need to use this certificate.

Also, the certificate on goingplaces.me does not look like the certificate you requested recently…

So I would conclude that you obtained a certificate, but never attempted to install it… (Since you used certonly and did not ask certbot to install the certificate for you)

Thank you

3

What does “sudo certbot certificates” show?

Does “sudo nginx -T” show that the right server blocks exist, listening on the right interfaces, and using the right certificates?

4

@mnordhoff thanks for your response.
sudo certbot certificates showed following

 Certificate Name: goingplaces.me
    Domains: goingplaces.me *.goingplaces.me
    Expiry Date: 2018-12-22 04:32:59+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/goingplaces.me/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/goingplaces.me/privkey.pem

Here is snapshot of second command. To me, its showing correct ngin config file

# configuration file /etc/nginx/sites-enabled/goingplacesme:
map $http_host $blogid {
    default 0;
    include /var/www/goingplacesme/wp-content/uploads/nginx-helper/map.conf;
}

server {

	root /var/www/goingplacesme;

        index index.html index.htm index.nginx-debian.html;

        server_name goingplaces.me *.goingplaces.me;

        location / {
                #try_files $uri $uri/ =404;
                try_files $uri /index.php$is_args$args;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;

                # With php7.0-cgi alone:
                #fastcgi_pass 127.0.0.1:9000;
                # With php7.0-fpm:
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
	location ~ ^/files/(.*)$ {
	  try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
	  access_log off; log_not_found off; expires max;
	}

	location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
		expires 24h;
		log_not_found off;
	}

	location ^~ /blogs.dir {
		internal;
		alias /var/www/pathtoyoursite/web/wp-content/blogs.dir ;
		access_log off; log_not_found off;      expires max;
	}


	if (!-e $request_filename) {
		rewrite /wp-admin$ $scheme://$host$uri/ permanent;
		rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last;
		rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last;
	}


 # managed by Certbot

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/techtrekking.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/techtrekking.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot




}


server {
    if ($host = www.goingplaces.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = goingplaces.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



        server_name goingplaces.me *.goingplaces.me;
    listen 80;
    return 404; # managed by Certbot




}
5

I have port 443 open, here is the output

 telnet localhost 443
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

and the nginx config file is updated with these details as well.

6

Hi,

I’m not saying that the port 443 is not open.

I’m saying,

Can you find a virtual host (that listens on port 443) that contains your subdomain as a server_name? (There’s no mention of the subdomain in the currently using virtual host)

Also, you’ll need to install the certificate by yourself in order to use the certificate… It’s definitely not installed.

Thank you

7

When you say, I need to install certificate, are you referring to base domain goingplaces.me or the wildcard for goingplaces.me (like *.goingplaces.me ) ?
SSL is working fine for goingplaces.me

8

Hi @conquistadorjd,

Three things:

1.- certbot said that the wildcard certificate has been saved here /etc/letsencrypt/live/goingplaces.me-0001/fullchain.pem (pay attention to suffix -0001).

2.- certbot certificates only shows a certificate located in /etc/letsencrypt/live/goingplaces.me/fullchain.pem, did you paste the entire output?.

3.- In your nginx conf the certificate used for your domain is located at /etc/letsencrypt/live/techtrekking.com/fullchain.pem which seems wrong if you want to use the wildcard cert.

Did you manually modify, delete something in /etc/letsencrypt/ ?.

Could you please show the output of these commands?

ls -lR /etc/letsencrypt/live/
ls -lR /etc/letsencrypt/archive/
ls -l /etc/letsencrypt/renewal/

Cheers,
sahsanu

9

I have multiple websites on the same server. Here is unedietd output
ls -lR /etc/letsencrypt/live/

/etc/letsencrypt/live/:
total 20
drwxr-xr-x 2 root root 4096 Sep 22 19:00 fintrekking.com
drwxr-xr-x 2 root root 4096 Sep 23 11:03 goingplaces.me
drwxr-xr-x 2 root root 4096 Sep 22 19:02 litrating.com
drwxr-xr-x 2 root root 4096 Sep 23 11:15 techtrekking.com
drwxr-xr-x 2 root root 4096 Sep 23 10:42 vatadya.com

/etc/letsencrypt/live/fintrekking.com:
total 4
lrwxrwxrwx 1 root root  39 Sep 22 19:00 cert.pem -> ../../archive/fintrekking.com/cert1.pem
lrwxrwxrwx 1 root root  40 Sep 22 19:00 chain.pem -> ../../archive/fintrekking.com/chain1.pem
lrwxrwxrwx 1 root root  44 Sep 22 19:00 fullchain.pem -> ../../archive/fintrekking.com/fullchain1.pem
lrwxrwxrwx 1 root root  42 Sep 22 19:00 privkey.pem -> ../../archive/fintrekking.com/privkey1.pem
-rw-r--r-- 1 root root 543 Sep 22 19:00 README

/etc/letsencrypt/live/goingplaces.me:
total 4
lrwxrwxrwx 1 root root  38 Sep 23 11:03 cert.pem -> ../../archive/goingplaces.me/cert1.pem
lrwxrwxrwx 1 root root  39 Sep 23 11:03 chain.pem -> ../../archive/goingplaces.me/chain1.pem
lrwxrwxrwx 1 root root  43 Sep 23 11:03 fullchain.pem -> ../../archive/goingplaces.me/fullchain1.pem
lrwxrwxrwx 1 root root  41 Sep 23 11:03 privkey.pem -> ../../archive/goingplaces.me/privkey1.pem
-rw-r--r-- 1 root root 682 Sep 23 11:03 README

/etc/letsencrypt/live/litrating.com:
total 4
lrwxrwxrwx 1 root root  37 Sep 22 19:02 cert.pem -> ../../archive/litrating.com/cert1.pem
lrwxrwxrwx 1 root root  38 Sep 22 19:02 chain.pem -> ../../archive/litrating.com/chain1.pem
lrwxrwxrwx 1 root root  42 Sep 22 19:02 fullchain.pem -> ../../archive/litrating.com/fullchain1.pem
lrwxrwxrwx 1 root root  40 Sep 22 19:02 privkey.pem -> ../../archive/litrating.com/privkey1.pem
-rw-r--r-- 1 root root 543 Sep 22 19:02 README

/etc/letsencrypt/live/techtrekking.com:
total 4
lrwxrwxrwx 1 root root  40 Sep 23 11:15 cert.pem -> ../../archive/techtrekking.com/cert3.pem
lrwxrwxrwx 1 root root  41 Sep 23 11:15 chain.pem -> ../../archive/techtrekking.com/chain3.pem
lrwxrwxrwx 1 root root  45 Sep 23 11:15 fullchain.pem -> ../../archive/techtrekking.com/fullchain3.pem
lrwxrwxrwx 1 root root  43 Sep 23 11:15 privkey.pem -> ../../archive/techtrekking.com/privkey3.pem
-rw-r--r-- 1 root root 543 Sep 22 19:01 README

/etc/letsencrypt/live/vatadya.com:
total 4
lrwxrwxrwx 1 root root  35 Sep 23 10:42 cert.pem -> ../../archive/vatadya.com/cert1.pem
lrwxrwxrwx 1 root root  36 Sep 23 10:42 chain.pem -> ../../archive/vatadya.com/chain1.pem
lrwxrwxrwx 1 root root  40 Sep 23 10:42 fullchain.pem -> ../../archive/vatadya.com/fullchain1.pem
lrwxrwxrwx 1 root root  38 Sep 23 10:42 privkey.pem -> ../../archive/vatadya.com/privkey1.pem
-rw-r--r-- 1 root root 682 Sep 23 10:42 README

ls -lR /etc/letsencrypt/archive/

/etc/letsencrypt/archive/:
total 20
drwxr-xr-x 2 root root 4096 Sep 22 19:00 fintrekking.com
drwxr-xr-x 2 root root 4096 Sep 23 11:03 goingplaces.me
drwxr-xr-x 2 root root 4096 Sep 22 19:02 litrating.com
drwxr-xr-x 2 root root 4096 Sep 23 11:15 techtrekking.com
drwxr-xr-x 2 root root 4096 Sep 23 10:42 vatadya.com

/etc/letsencrypt/archive/fintrekking.com:
total 16
-rw-r--r-- 1 root root 2183 Sep 22 19:00 cert1.pem
-rw-r--r-- 1 root root 1647 Sep 22 19:00 chain1.pem
-rw-r--r-- 1 root root 3830 Sep 22 19:00 fullchain1.pem
-rw-r--r-- 1 root root 1704 Sep 22 19:00 privkey1.pem

/etc/letsencrypt/archive/goingplaces.me:
total 16
-rw-r--r-- 1 root root 2175 Sep 23 11:03 cert1.pem
-rw-r--r-- 1 root root 1647 Sep 23 11:03 chain1.pem
-rw-r--r-- 1 root root 3822 Sep 23 11:03 fullchain1.pem
-rw-r--r-- 1 root root 1704 Sep 23 11:03 privkey1.pem

/etc/letsencrypt/archive/litrating.com:
total 16
-rw-r--r-- 1 root root 2175 Sep 22 19:02 cert1.pem
-rw-r--r-- 1 root root 1647 Sep 22 19:02 chain1.pem
-rw-r--r-- 1 root root 3822 Sep 22 19:02 fullchain1.pem
-rw-r--r-- 1 root root 1708 Sep 22 19:02 privkey1.pem

/etc/letsencrypt/archive/techtrekking.com:
total 48
-rw-r--r-- 1 root root 2187 Sep 22 19:01 cert1.pem
-rw-r--r-- 1 root root 2403 Sep 22 19:26 cert2.pem
-rw-r--r-- 1 root root 2403 Sep 23 11:15 cert3.pem
-rw-r--r-- 1 root root 1647 Sep 22 19:01 chain1.pem
-rw-r--r-- 1 root root 1647 Sep 22 19:26 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 23 11:15 chain3.pem
-rw-r--r-- 1 root root 3834 Sep 22 19:01 fullchain1.pem
-rw-r--r-- 1 root root 4050 Sep 22 19:26 fullchain2.pem
-rw-r--r-- 1 root root 4050 Sep 23 11:15 fullchain3.pem
-rw-r--r-- 1 root root 1704 Sep 22 19:01 privkey1.pem
-rw-r--r-- 1 root root 1704 Sep 22 19:26 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep 23 11:15 privkey3.pem

/etc/letsencrypt/archive/vatadya.com:
total 16
-rw-r--r-- 1 root root 2167 Sep 23 10:42 cert1.pem
-rw-r--r-- 1 root root 1647 Sep 23 10:42 chain1.pem
-rw-r--r-- 1 root root 3814 Sep 23 10:42 fullchain1.pem
-rw-r--r-- 1 root root 1704 Sep 23 10:42 privkey1.pem

ls -l /etc/letsencrypt/renewal/

total 20
-rw-r--r-- 1 root root 476 Sep 22 19:00 fintrekking.com.conf
-rw-r--r-- 1 root root 567 Sep 23 11:03 goingplaces.me.conf
-rw-r--r-- 1 root root 466 Sep 22 19:02 litrating.com.conf
-rw-r--r-- 1 root root 537 Sep 23 11:15 techtrekking.com.conf
-rw-r--r-- 1 root root 512 Sep 23 10:42 vatadya.com.conf
10

After reading these three points, I just realised my mistake. I have updated my NGIX file to correct the live location as below

 # managed by Certbot

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/goingplaces.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/goingplaces.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

This is now working as expected. I tested this with completely new subdomain and this is working smoothly.
here is the screenshot
2018-09-23%2014-00-19%20letsencrypt%20working

@sahsanu thanks a lot :+1::+1::+1:

1 Like
11

Hi @conquistadorjd,

Glad you get it working but the -0001 issue is weird, are you sure you didn’t rename the dir?.

Could you please show the output of your renewal conf?.

cat /etc/letsencrypt/renewal/goingplaces.me.conf

Cheers,
sahsanu

1 Like
12

I did not rename the dir. I created and deleted certificate multiple times today. Could this be due to requesting new certificate without deleting earlier one ?

Here is the output that you requested

# renew_before_expiry = 30 days
version = 0.27.1
archive_dir = /etc/letsencrypt/archive/goingplaces.me
cert = /etc/letsencrypt/live/goingplaces.me/cert.pem
privkey = /etc/letsencrypt/live/goingplaces.me/privkey.pem
chain = /etc/letsencrypt/live/goingplaces.me/chain.pem
fullchain = /etc/letsencrypt/live/goingplaces.me/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = be9d4a4f2ee0eac4d875003c3ee73575
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual
manual_public_ip_logging_ok = True
13

Hi @conquistadorjd,

The output of the renewal conf is correct.

Yes, that explains the weird issue, you created a new cert without removing the old one or without specifying parameter --cert-name so certbot created a new dir with -0001.

Just in case, keep in mind that as you are using a manual method to create the needed TXT records for your wildcard cert, it won't be renewed automatically and you should execute the same manual process the day you want to renew the certificate.

Cheers,
sahsanu

1 Like
14

just a follow up question:
Current setup is not redirecting http to https. I remember while doing non wildcard setup, there was a question if I would like to redirect http to https, I did not see this while setting up wildcard ssl.
is it not available with wildcard SSL ?

15

Hi @conquistadorjd

this is independend from certbot / wildcard certificates. Check your port 80 configuration and add something like

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$server_name$request_uri;
}

So the http traffic (port 80) is redirected to https.

16

Thank you. This resolved http issue.
Note to anyone else running into same issue:
I added above code in my existing server block but this did not work. infact site went into redirect loop. I added above mentioned code above my first server block and its working fine now.

Thanks @JuergenAuer

17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.