Steps for sharing apache certs to nginx on another machine/domain?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=destiny.to ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: destiny.to

I ran this command: ./certbot-auto --expand -d destiny.to,destiny.to,ask.destiny.to

It produced this output:
The client lacks sufficient authorization :: Invalid response from http://ask.destiny.to/.well-known/acme-challenge/_aHb14Nxxxxx

My web server is (include version): apache httpd-2.2.15-69.el6.centos.x86_64

The operating system my web server runs on is (include version): CentOS 6.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

Here is the scenario

My site ( destiny.to ) runs on a server running apache , mainly PHP scripts and Java servlets. The LE certs is installed in /etc/letsencrypt/ , it works fine.

There is another subdomain : ask.destiny.to , running on another server (different machine , different IP) , running nginx ( nginx-1.10.2-1.el7.x86_64 ) , it’s not LE enabled.

I tried to expand my cert to this subdomain
./certbot-auto --expand -d destiny.to,destiny.to,ask.destiny.to

but it shows the above error.
It seems certbot “assumes” the subdomain is on the same server , but that’s not my case.
The subdomain is on another server , running nginx instead of apache …
What should I do now ?

Thanks.


#2

You could create a redirect on the nginx server:

rewrite ^/\.well-known/acme-challenge/(.*)$ http://destiny.to/.well-known/acme-challenge/$1;

That way, you should be able to complete the challenge for both domains from your Apache server.


#3

Why do you want to add the subdomain to the same cert? Wouldn’t it be easier to get a separate cert for just that subdomain on the nginx server? That way you don’t have to deal with redirects and figuring out how to copy everything over again automatically after each renewal…

If you do need everything on the same cert for some reason then _az’s advice is good.


#4

Hi @jmorahan , is it normal to have two separate certs for main domain and sub-domain ?
I feel it’s … strange… (sorry , not familiar with certs)

Isn’t it the goal of ‘expand cert’ ?


#5

It’s fine. In the old days, it was probably less common since a second certificate meant a second payment to the CA :stuck_out_tongue: But with Let’s Encrypt, as long as you stay within the rate limits - the most relevant ones here being 50 certs per registered domain per week, and 100 names per certificate - you can organize your domains and subdomains into certificates whatever way you want.

The goal of certbot’s --expand option is to allow you to easily add domains to an existing certificate, if you want to :slight_smile: It’s not meant to encourage you to do that if you prefer to organize things another way.