Staging site cert not valid

I have a wordpress multisite with a subdomain of staging.bell-computing.com. I have a certificate for it
Certificate Name: staging.bell-computing.com
Domains: staging.bell-computing.com
Expiry Date: 2018-10-01 12:24:09+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/staging.bell-computing.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.bell-computing.com/privkey.pem

What do I need to do to make it recognised? It is in my conf list of other recognised servers and also in the list of domains in serverpilot. When I test it it says there is a name mismatch with gourmetbritain-competition.com.

When I do an autorenew dry run it can renew staging but not gourmetbritain. How do I fix this?
sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/bell-computing.com.conf

Attempting to parse the version 0.25.1 renewal configuration file found at /etc/letsencrypt/renewal/bell-computing.com.conf with version 0.25.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bell-computing.com
http-01 challenge for www.bell-computing.com
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/bell-computing.com/fullchain.pem


Processing /etc/letsencrypt/renewal/staging.bell-computing.com.conf

Attempting to parse the version 0.25.1 renewal configuration file found at /etc/letsencrypt/renewal/staging.bell-computing.com.conf with version 0.25.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for staging.bell-computing.com
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/staging.bell-computing.com/fullchain.pem


Processing /etc/letsencrypt/renewal/pmcarpetsandflooring.com.conf

Attempting to parse the version 0.25.1 renewal configuration file found at /etc/letsencrypt/renewal/pmcarpetsandflooring.com.conf with version 0.25.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for pmcarpetsandflooring.com
http-01 challenge for www.pmcarpetsandflooring.com
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/pmcarpetsandflooring.com/fullchain.pem


Processing /etc/letsencrypt/renewal/gourmetbritain-competition.com.conf

Attempting to parse the version 0.25.1 renewal configuration file found at /etc/letsencrypt/renewal/gourmetbritain-competition.com.conf with version 0.25.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for gourmetbritain-competition.com
http-01 challenge for www.gourmetbritain-competition.com
Cleaning up challenges
Attempting to renew cert (gourmetbritain-competition.com) from /etc/letsencrypt/renewal/gourmetbritain-competition.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/gourmetbritain-competition.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/bell-computing.com/fullchain.pem (success)
/etc/letsencrypt/live/staging.bell-computing.com/fullchain.pem (success)
/etc/letsencrypt/live/pmcarpetsandflooring.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/gourmetbritain-competition.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

Issue the cert from the production server, rather than staging. Staging certs are never recognized by clients.

If you don't specify an installer (or use certonly), then Certbot isn't going to do anything except issue the certificate. Actually deploying it to your website is a separate step.

So, you have a couple of choices.

Have Certbot install the certificate:

certbot -d staging.bell-computing.com --nginx

or manually configure your web server to use it: Redirecting to ssl-config.mozilla.org...

I'm not sure which is the better choice with ServerPilot, since SP manages its own nginx instance that Certbot may not be able to identify automatically.

1 Like

I thought thats what I had done with
./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/wordpress/public -d staging.bell-computing.com

doing it again just tells me it already exists

The same command seems to work fine for pmcarpetsandflooring
./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/wordpress/public -d pmcarpetsandflooring.com -d www.pmcarpetsandflooring.com
the only difference is that there is an actual DNS record for pmcarpetsandflooring.com

To put it another way: certonly just creates a certificate, but doesn’t use it for anything. That’s up to you. As “step two”, you need to tell ServerPilot’s nginx configuration for that domain (in /etc/nginx-sp/vhosts.d/) to then use that certificate.

Based on how your server responds, you haven’t done that.

Hmm, but I have it in my app’s conf for that certificate - what stage am I missing?

  server {

      listen 443 ssl http2;

      listen [::]:443 ssl http2;

     server_name

          178.62.53.135

          bell-computing.com

                  paulmarshallcarpetsandflooring.com                 staging.bell-computing.com       ;     ssl on;     # letsencrypt certificates     ssl_certificate      /etc/letsencrypt/live/bell-computing.com/fullchain.pem;     ssl_certificate_key  /etc/letsencrypt/live/bell-computing.com/privkey.pem;         #SSL Optimization     ssl_session_timeout 1d;     ssl_session_cache shared:SSL:20m;     ssl_session_tickets off;         # modern configuration     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;         ssl_prefer_server_ciphers on;         ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';         # OCSP stapling         ssl_stapling on;         ssl_stapling_verify on;         # verify chain of trust of OCSP response         ssl_trusted_certificate /etc/letsencrypt/live/bell-computing.com/chain.pem;         #root directory and logfiles         root /srv/users/serverpilot/apps/wordpress/wordpress_nginx/public;         access_log /srv/users/serverpilot/log/wordpress/wordpress_nginx.access.log main;         error_log /srv/users/serverpilot/log/wordpress/wordpress_nginx.error.log;         #proxyset         proxy_set_header Host $host;         proxy_set_header X-Real-IP $remote_addr;         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;         proxy_set_header X-Forwarded-SSL on;         proxy_set_header X-Forwarded-Proto $scheme;         #includes         include /etc/nginx-sp/vhosts.d/wordpress.d/*.nonssl_conf;         include /etc/nginx-sp/vhosts.d/wordpress.d/*.conf; }

The certificate for your staging domain is located in /etc/letsencrypt/live/staging.bell-computing.com/.

You’re not using it in that configuration.

You’re using the certificate for bell-computing.com, which is a separate certificate.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.