Two domains at 1 IP by certbot 4 nginx: one goes, the other not

Hi community,

I’m Georg and i’m new with certbot. I have two portals with two domains on one server with nginx.

My domain is:
https://kindersachenflohmarkt-teningen.de

I ran this command:
/usr/local/bin/certbot-auto certonly --nginx

It produced this output:
I let the choice empty to make two certificates for two domains.
The success message was only for one (see above). So I startet the command angain and chose the second domain https://vam-teningen.de.
You can see that the second domain works. The same config with target to the second portal kindersachenflohmarkt-teningen and it doesn’t work. Funny is that ssllabs.com/ssltest says when checking http://vam-teningen.de, there are alternative names with names of both portals… Is the problem that there is now one certificate for both portals and one domain is hosted by another hoster?

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
debian 9

My hosting provider, if applicable, is:
the portals and the second domain (vam-teningen.de) are on hostservice 1blu.de and the second domain (kindersachenflohmarkt-teningen.de) is hosted by Strato.de and there is a proxy forwarding to the address with ip (port 80) to 1blu.

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
putty for debian and filezilla for ftp. For the portals there is a client on my pc.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I hope somebody can help me to let the second domain run with ssl…
I don’t know if there is anything wrong with the certificate or with the nginx-config…
Thank you a lot for help!

1 Like

Hi @homers

what's a proxy forwarding?

Checking both domains there are different ip addresses:

First domain (only the non-www) - https://check-your-website.server-daten.de/?q=kindersachenflohmarkt-teningen.de

Host T IP-Address is auth. ∑ Queries ∑ Timeout
kindersachenflohmarkt-teningen.de A 81.169.145.93 Berlin/Land Berlin/Germany (DE) - Strato AG Hostname: w8d.rzone.de yes 2 0
AAAA 2a01:238:20a:202:1093:: Berlin/Land Berlin/Germany (DE) - Strato Rechenzentrum yes

There is no working https.

Second domain - https://check-your-website.server-daten.de/?q=vam-teningen.de

Host T IP-Address is auth. ∑ Queries ∑ Timeout
vam-teningen.de A 178.254.8.50 Berlin/Land Berlin/Germany (DE) - EVANZO-MK Hostname: v14850.1blu.de yes 1 0
AAAA yes

Where runs your Certbot? If you use http validation, normally (ok, there are other setups) both domains must use the same ip addresses.

That domain has a working https connection - but with the wrong certificate, with the certificate of the first domain.

And your first domain - there are three Letsencrypt certificates:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-01-21 2020-04-20 kindersachenflohmarkt-teningen.de - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2020-01-21 2020-04-20 kindersachenflohmarkt-teningen.de - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2020-01-21 2020-04-20 kindersachenflohmarkt-teningen.de, vam-teningen.de - 2 entries duplicate nr. 1

Ah, your second domain has a certificate with both domain names.

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-01-21 2020-04-20 vam-teningen.de - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2020-01-21 2020-04-20 vam-teningen.de - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2020-01-21 2020-04-20 kindersachenflohmarkt-teningen.de, vam-teningen.de - 2 entries duplicate nr. 1

Did you change your dns A records? Normally, you can't create a certificate via --nginx with two domain names, if the two domain names have different ip addresses and if you run certbot on one ip address.

1 Like

Hi @JuergenAuer,

thank you for your answer :slight_smile:

“what’s a proxy forwarding?”
good question. I took this at Strato, because they wrote that the user see the source domain name, not the target IP (301 forwarding).

“Where runs your Certbot?”
The Certbot is running at 1blu, where the vam-teningen.de domain is hosted, too.
I ordered at Strato only the domain (I wouldn’t have done it when I know what there are for problems).

“there are three Letsencrypt certificates:”
Yes, I tried to make new certificates for only one domain… I thought that at the end there is only one certificate…

“Did you change your dns A records? Normally, you can’t create a certificate via --nginx with two domain names, if the two domain names have different ip addresses and if you run certbot on one ip address.”
No, I don’t know where I can chance dns records. That sounds logical what you say… Is there any possibility to get the Strato domain kindersachenflohmarkt-teningen.de with a ssl?
I have only root rights at 1blu server…

1 Like

Sounds like there is a system that contacts the second server to get the informations.

Like a normal proxy.

If you don't have root access, your hoster must have a solution.

If there is no hoster, change your hoster. But there is something, looks like a small content management system.

<meta name="author" content="United Planet GmbH">
<meta name="description" content="Beschreiben Sie hier Ihre Website.">

Runs that on your 1blu server?

I wrote Strato and they now answer that I have to make the certificate at 1blu, where the system is and then it must work (they say). I'm uncertain what to do now.
Perhaps I will call both hoster to ask how fast I can change the hoster of the domain. The time runs... :frowning:

That is the portal software I need to edit the two portals and develop the applications (low code platform) and it runs on the 1blu server, yes.

Then it's the easiest that your kindersachenflohmarkt-teningen domain has the same ip address like your other domain.

If this is possible, you don't need the domain provider of that domain.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.