Subdomain not secure even after adding dns record

ispace · May 9, 2022, 2:08am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://turkey.ispaceone.com/

I ran this command:

It produced this output: not secure

My web server is (include version): VPS windows 2019

The operating system my web server runs on is (include version): Windows 2019

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

rg305 · May 9, 2022, 2:57am

Is there a Plesk panel there?

I see a certificate with:

subject=/C=CH/L=Schaffhausen/O=Plesk/CN=Plesk/emailAddress=info@plesk.com
issuer=/C=CH/L=Schaffhausen/O=Plesk/CN=Plesk/emailAddress=info@plesk.com

I don't see an issued cert that covers the subdomain:
crt.sh | ispaceone.com

Adding a DNS record alone is not enough.

ispace · May 9, 2022, 3:00am

yes we are using plesk panel for windows

rg305 · May 9, 2022, 3:07am

Then follow the instructions on how to use it to secure a subdomain.

ispace · May 9, 2022, 3:08am

we have done all the steps but still its not working

rg305 · May 9, 2022, 3:10am

Well then, to me, that seems like a Plesk panel problem.

ispace · May 9, 2022, 3:15am

i dont thhink its a plesk issue

ispace · May 9, 2022, 3:15am

in plesk it say that the txt dns record we added cant be found but it does exist and for some reason it cant be found

rg305 · May 9, 2022, 3:26am

Which TXT are you talking about?

I see:

ispaceone.com   nameserver = ns37.domaincontrol.com
ispaceone.com   nameserver = ns38.domaincontrol.com

nslookup -q=TXT _acme-challenge.turkey.ispaceone.com ns37.domaincontrol.com
*** UnKnown can't find _acme-challenge.turkey.ispaceone.com: Non-existent domain

nslookup -q=TXT _acme-challenge.turkey.ispaceone.com ns38.domaincontrol.com
*** UnKnown can't find _acme-challenge.turkey.ispaceone.com: Non-existent domain

ispace · May 9, 2022, 3:30am

we added the following dns record but it says that it cant find it:

TXT
acme-challenge.turkey
kgE0DrnyPCIjoRxn23t-evNtCal4qfQhhZDxjkPf_k4
1 Hour

ispace · May 9, 2022, 3:42am

we fixed the problem we did it without selecting wildcard while installing the certificate

rg305 · May 9, 2022, 1:43pm

Should be:
_acme-challenge.turkey

nslookup -q=TXT acme-challenge.turkey.ispaceone.com ns38.domaincontrol.com
acme-challenge.turkey.ispaceone.com     text =
        "O9uHW2BSENMILNodCzyBe-XjAVp1zeY-Ab7AGv-tibk"

nslookup -q=TXT _acme-challenge.turkey.ispaceone.com ns38.domaincontrol.com
*** UnKnown can't find _acme-challenge.turkey.ispaceone.com: Non-existent domain

rg305 · May 9, 2022, 10:33pm

It seems that your wildcard request failed because they require a DNS TXT record to be created and you had a TYPO in that entry [missing the leading underscore].

The subsequent "workaround" (trying to obtain a non-wildcard cert) likely only worked because that did NOT require a DNS change and used HTTP authentication instead.

Note: Although it is a valid solution to this problem, you should "learn" why the previous request failed.
[In the event that you should ever require a wildcard cert, you will be better prepared to get one.]

ispace · May 9, 2022, 10:46pm

we actually tried both versions and neither of them worked, so finally had to apply the workaround and then we were able to edit it to make it a wildcard

rg305 · May 9, 2022, 10:56pm

I don't see any wildcard ever having been issued for that domain:
crt.sh | ispaceone.com

ispace · May 9, 2022, 11:10pm

we tried both versions and i have no idea why it didnt work

rg305 · May 9, 2022, 11:34pm

Something worked.
I suppose it was when using HTTP authentication.

As for the DNS authentication, you need to ensure all authoritative DNS servers are in sync and return the proper TXT record before proceeding with that request.

ispace · May 10, 2022, 12:17am

yeah i dont know how it worked, but can you help me with the following issue -

Please help, our domain is getting redirected to www.https//www.ezmethods.com, and hence, our site is not loading, we have checked our code but could not find any issues, we have also checked server settings and found no problem.

rg305 · May 10, 2022, 1:33am

Depending on the ACME client. you should be able to check the logs for it OR see the renewal settings [which would show how it was obtained]

Where is redirection being done?
.htaccess file?
IIS?
Plesk Panel?
[multiple places?]

rg305 · May 10, 2022, 1:35am

It looks like you may have resolved the redirection issue:

curl -Ii http://ezmethods.com
HTTP/1.1 301 Moved Permanently
Content-Length: 149
Content-Type: text/html; charset=UTF-8
Location: https://www.ezmethods.com/
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Date: Tue, 10 May 2022 01:35:01 GMT

curl -Ii http://www.ezmethods.com
HTTP/1.1 301 Moved Permanently
Content-Length: 149
Content-Type: text/html; charset=UTF-8
Location: https://www.ezmethods.com/
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Date: Tue, 10 May 2022 01:35:07 GMT