Tutorial for certbot on subdomains and starting over


#1

I am trying to follow various tutorials, but something is off. I need to start over.

I have a website that has 1 main domain (ivo-welch.info) and, say, 3 subdomains (www, cfr, book). my goal is https access in addition to http access. nothing fancy. vanilla install. ubuntu. nginx.


first, I opened up /.well-known in /etc/nginx/sites-available/ivo-welch.info.conf for each and every subdomain (server block).

location ~ /.well-known {
            allow all;
    }

second, I created empty directories in

/var/www/ivo-welch.info/html/.well-known  <-- domain
/var/www/ivo-welch.info/www/.well-known  # may not be needed <-- subdomain www
/var/www/ivo-welch.info/book/.well-known
/var/www/ivo-welch.info/cfr/.well-known

third, my magic invokation:

  certbot certonly --webroot --webroot-path=/var/www/ivo-welch.info/html \
 -d ivo-welch.info -d www.ivo-welch.info -d book.ivo-welch.info -d cfr.ivo-welch.info

Presumably, something goes into /var/www/ivo-welch.info/html/.well-known/*acme*... , and magically allows my users to use https thereafter. as you may suspect, it’s not what I am getting:

www.ivo-welch.info (http-01): urn:acme:error:unauthorized :: \
The client lacks sufficient authorization :: \
Invalid response from http://www.ivo-welch.info/.well-known/acmechallenge/blahblah: "
... a few more

easy, I think. certbot one per subdomain then. fortunately, this gives me no more errors on certbot creation times. unfortunately, now all sorts of interesting warnings and errors appear about how I already have some certificates, whether I want to expand things, etc. I tried a few of these variations, but the end result is that browsers get certificate errors, telling them that book.ivo-welch.info is my www.ivo-welch.info certificate, etc.

so, apologies, I need help:

[a] how do I start over? does the letsencrypt server have snippets related to ivo-welch.conf stored that could mess up further attempts of mine? or should I just remove locally /etc/letsencrypt, /var/*/letsencrypt?

[b] once I am back to zero, what is the recommended way of letsencrypt certbot with a few subdomains?

advice appreciated.

sincerely,

/ivo welch


#2

So each of those subdomains has a separate web root path? In that case, you’d specify them separately. It’d look like “certbot certonly --webroot -w /var/www/ivo-welch.info/www -d ivo-welch.info -w /var/www/ivo-welch.info/www -d www.ivo-welch.info …”

-w is equivalent to --webroot-path, and each use of that applies to each -d that follows, until another -w is specified in the command line.


#3

great. (this might make a nice bit in the main guidelines and tutorials, too.)

question [1] : how do I reset everything that I messed up so far, both on my own server and the letsencrypt server with respect to my domain?

regards,

/iaw


#4

What’s the output of “certbot certificates”?


#5

after my 39 different attempts, it is probably a complete and total mess at this point. you would probably not believe what crazy things I tried.

I truly need to start over. I was even thinking of rebuilding my entire linux system for this sake, but would rather not. besides, I don’t know if I could have messed up something on the letsencrypt server itself. is there a foolproof generic way to get a second start in life?

also, thanks a lot for all your help, danb. I appreciate it.

#certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

## certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
No certs found.
-------------------------------------------------------------------------------

#6

OK, so there’s nothing issued at this time (or if it was, it’s been removed since). You shouldn’t need to do anything to reset. I don’t think it would hurt to delete /etc/letsencrypt, but I don’t think it would really benefit you either.


#7

I don’t see a benefit to that either.


#8

Hopefully we can’t remove things from crt.sh! :slight_smile:


#9

Oh, is that what “certbot certificates” does? I thought it just checked the local store. Been a while since I used it; thanks for the clarification.


#10

Oh, I’m sorry. I thought when you said “there’s nothing issued at this time” that you had searched on https://crt.sh/ (which I did when I read your note, and also found nothing). I didn’t realize you were inferring that from @iaw4’s message about certbot certificates.

certbot certificates doesn’t check crt.sh; as you remembered, it just checked /etc/letsencrypt on the local system.


#11

this is funny. I thought you were pulling my leg when you were referring to crt.sh . I thought you were referring to cathode ray tubes. now I know that https://crt.sh/ is a website. (I tried it.)

I actually managed to get it going! (https://www.ivo-welch.info!) yeah! thanks to your help, the digital ocean tutorial, and the letsencrypt website. I kept careful notes so that when I have to do it again, I have a better roadmap for myself.

it remains a pity that this is not easier. all the darn servers should just agree on directory where everything should go in what form, and then pull it in automatically if it exists. there is little reason for webmasters to learn the black art of encryption security, when all most of us want is to change the http into an https. and without letsencrypt, this would not just be much more difficult, but also much more expensive. thanks a lot for all the hard work and the great help you have given me here.

regards,

/iaw

on another note, I was pleased to see the EFF link letsencrypt—my financial support to them is not just on principle now, but actually useful.


closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.