Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: login.myrandomdomain.store
Hello, Apologies if this question seems naive. I am trying to get a certificate for a subdomain using node-acme-client (works fine for a domain), and I get the following error at client.verifyChallenge(authz, httpChallenge). I am using letsencrypt staging directory, and const order = await acmeClient.createOrder({ identifiers: [ { type: 'dns', value: domain } ] }); to create order.
Can anyone please guide why I am getting this error, is this related to how I am creating the order or a limitation of node-acme-client etc.?
Note: When I try the same using certbot, it issues a certificate without any error.
It produced this output:
Error: Hostname/IP does not match certificate's altnames: Host: login.myrandomdomain.store. is not in the cert's altnames: DNS:myrandomdomain.store
My web server is (include version): Nginx
The operating system my web server runs on is (include version): Ubuntu
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.2.0
Thanks @rg305. Yes, I was able to successfully obtain cert for login.randomdomain.store using certbot. I misspelled the domain earlier. Cert is live now, you can view the cert here.
Certbot works fine, but I am facing issues with node-acme-client. As I have already shared I get the following error in the case of subdomain on node-acme-client. Can you please tell me what's the issue here? Is it node-acme-client limitation?
Error: Hostname/IP does not match certificate's altnames: Host: login.randomdomain.store. is not in the cert's altnames: DNS:randomdomain.store
I don't think I have enough information to be certain.
Based on what [I think] I know...
The error indicates that site you are reaching has a cert that doesn't carry the login subdomain.
But I can't tell anything else about that connection.
From the Internet, the login site seems to be correctly secured [via HTTPS].
If you are connecting via some other method [VPN, internal network. etc.], then that might be part of why you are seeing the wrong cert.
The default cert being served when the IP is hit directly [without SNI] is that same short name and may explain why the system you are using is seeing that cert.
I think I have not explained the problem correctly. So, the issue was that I couldn't issue an SSL certificate to a subdomain using node-acme-client with letsencrypt staging directory. I was facing the above-mentioned error on the HTTP challenge verification step, but everything was working smoothly on certbot.
Turns out I just needed to make small changes on nginx configuration. So, the issue was in nginx configuration, now node-acme-client is also working fine. And issues certificate to subdomains without any problem. Thank you for your time!
Yeah, so basically this is just a test domain. I issued and revoked the certificate to check how long it will take to actually get revoked.
Can you please tell me why this certificate is still "valid" for the browsers?
