Update wildcard certificate to include base domain


#1

Recently created a wildcard certificate two weeks ago, that is working well. However realise that it did not include the base domain.

Am I able to rerun the same command I used to create the wildcard certificate to create a certificate for the base domain ?

This is the command I ran,
certbot certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com.au

Can I re use this and include the base domain?
Will it work as it will not be due for renewal for another 80 days…
certbot certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d example.com.au *.example.com.au

Thanks in advance.
Peter


#2

If you run the certonly command with a new/extra domain (such as the base domain), then Certbot will issue a new certificate, even if your original wildcard certificate (with no base domain) is not due for renewal.

So yes, your proposed command should do exactly what you want.

The only change you need to make is ensure that each domain is prefixed with -d:

-d "*.example.com.au" -d example.org.au

#3

Thanks for reply.

tested the following command

certbot certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com.au -d example.com.au

It displayed this message that made sense

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/example.com.au-0001.conf)

It contains these names: *.example.com.au

You requested these names for the new certificate: example.com.au,
*.example.com.au.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel:

So I selected Expand,
Then it prompted to enter two DNS challenges as follows, made sense again

Please deploy a DNS TXT record under the name
_acme-challenge.example.com.au with the following value:

PVi-F6N8Ggfm_Igr1q-h3zBdEsb3nHFViq6ORJ0Mq9Q

Before continuing, verify the record is deployed.

Press Enter to Continue


Please deploy a DNS TXT record under the name
_acme-challenge.example.com.au with the following value:

YV3g1sv4EEeOsc-LPiuHrDIOhnaBvwemxXcqKjYy1Bg

Before continuing, verify the record is deployed.

Create two DNS TXT entries as and waited a few minutes before executing to verify

_acme-challenge.example.com.au PVi-F6N8Ggfm_Igr1q-h3zBdEsb3nHFViq6ORJ0Mq9Q
_acme-challenge.example.com.au YV3g1sv4EEeOsc-LPiuHrDIOhnaBvwemxXcqKjYy1Bg

And then got this error.

Domain: example.com.au
Type: unauthorized
Detail: Incorrect TXT record
“YV3g1sv4EEeOsc-LPiuHrDIOhnaBvwemxXcqKjYy1Bg” found at
_acme-challenge.example.com.au

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address

What am I missing?


#4

Sounds like you may have not waited long enough, or you did not enter the TXT records correctly.

A sure-fire way to verify that the records are being advertised by your DNS host is to use a direct query or a trace query, e.g.

dig +trace _acme-challenge.example.com.au

and verify in the output that BOTH records are present, before you continue in Certbot.


#5

Or… the second TXT record may have overwrote the first.
Ensure you have two TXT records before continuing.


#6

Thanks for reply,

Not sure why, this time it has worked ? Waited same amount of time and did an external trace to confirm text files where ok.

Thanks for your help


#7

Ok, now testing the new certificate, should I expect the following two scenarios to work;

  1. https://example.com.au
  2. https://subdomain.example.com.au

Should the ServerAlias in the vhost.conf file be listed as follows

ServerAlias example.com.au *.example.com.au

Notice this error in error.log

[ssl:warn] [pid 1823] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

And have now discovered all my subdomains are now longer working. This previously worked and now doesn’t

https://subdomain.example.com.au


#8

Yes, provided they resolve to your IP and you are serving something there - yes.

I personally prefer to see the actual alias names there.
Like:
example.com.au
something.example.com.au
another.example.com.au
and would only use the alias *.example.com.au for a “catch-all” - to serve the “lost”.
But it can be included if your sites will be sharing the same vhost config file.
Otherwise, you should understand that order may matter.
Which would match first…
Exact match or wildcard match - that would require some testing on your part.

I think that is how SNI works but it is weird to see it as an error.

Again, this may be due to “order matters”.
How many vhost configs do you have?
How are they ordered?
List the servernames and their aliases in the order they are processed and you may find why it fails.

I’m assuming that your main config file has something like:
include /etc/nginx/sites-enabled/*
IncludeOptional sites-enabled/*.conf
If so, it would process those “sites” alphabetically.
And if more than one includes an alias for the wildcard ("*.example.com.au") it will be served by the first match.


#9

This is a working server that have been using for some months. IP points correctly to the base domain and subdomains.

We have a few vhosts on this server. It is staging testing so able to safely test.
For the purpose of this troubleshooting, have disable all conf files except the default which should resolve to

example.com.au

The names of the conf files are

00_default.conf
01_default-le-ssl.conf

In both conf file above have server alias as follows.

Alias example.com.au *.example.com.au

Am trying to capture anything that does not fit our other subdomains such as

dom1.example.com.au dom3.example.com.au dom3.example.com.au…etc

These correctly displays host

http://example.com.au and http://www.example.com.au

This says the connection is not secure with “ERR_CERT_AUTHORITY_INVALID” on chrome

https://example.com.au and https://www.example.com.au


#10

The conf files that would server any of those other names must come above (alphabetically) to the “default” conf files.
Try changing 00_default.conf to 99_default.conf or ZZZ_default.conf
and 01_default-le-ssl.conf to 99_default-le-ssl.conf or ZZZ_default-le-ssl.conf
and re-enable some other conf files (ensuring they are alphabetically lower that the defaults)


#11

This may be due to incomplete cert being served…
Be sure you are using the fullchain.pem not just the cert.pem
Or you’ve somehow used the wrong intermediate cert or attached a mismatched root.
It is very difficult to really help you without an actual domain name.


#12

was using chain.pem. however has not made a difference

This just diverts from

https://example.com.au --> http://example.com.au

This displays the error message first

https://www.example.com.au

Have enable one other vhost that correctly servers both http://site and https://site
The ServerAlias for both ssl and http for this site is

ServerAlias subdomain.example.com.au


#13

I’m glad you are making progress, but I don’t think I can help much more without some real details.


#14

when I go to the site via https, I get an browser error, Viewing the error it is displaying the contains of the certificates.
There are three certificates it is displaying, The contents of the bottom two match what is in the *.pem files.
The contents of the top certificate I can not match the contents with any of the .pem files. It appears the size of a csr file but does not match the contents of those files or any file
What is this information?
Can still not get the base domain to work and running out of ideas ?

-----BEGIN CERTIFICATE----- MIID/jCCAuagAwIBAgICfAAwDQYJKoZIhvcNAQELBQAwgbMxCzAJBgNVBAYTAi0t MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV bml0MRowGAYDVQQDDBEzZGNzdGFnaW5nLmNvbS5hdTElMCMGCSqGSIb3DQEJARYW cm9vdEAzZGNzdGFnaW5nLmNvbS5hdTAeFw0xNzExMTUyMzUxMjVaFw0xODExMTUy MzUxMjVaMIGzMQswCQYDVQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYD VQQHDAhTb21lQ2l0eTEZMBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UE CwwWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEaMBgGA1UEAwwRM2Rjc3RhZ2luZy5j b20uYXUxJTAjBgkqhkiG9w0BCQEWFnJvb3RAM2Rjc3RhZ2luZy5jb20uYXUwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTw7MPUtZC/tINz+O9AancbGbv q2/2IFfoGFrg5HmS2hAVP0SKJF6bpi0Wxs7r4IGEqKvGVopUxzlcOEhgM+BhH5ad BW5ihSFOtabBNR4ygHB3QqLVokBEEzqfs9qFJpHjsqCGuVT6DWC3ApeA+58+UvCV ptzoQ97OG3gEtvnZRunKMw/vG4DddDvUzZVe2k6H1dXXeZLHzoRrbtcZMj3Of7NH iCuLKa2V6nMBQLvcbsj7kczi0tuzWVq79eTDoxBkVvImy3ZrFfTXiCDBxGB9FQMw KfYlAls6Atmjb6sFTWSx3MwcBIri45Fj8aEoAALc9w9/sUIE1ba38y9uYoCxAgMB AAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBCwUAA4IB AQA9rX2HK6gzMKrCUdZvsVkYh6rR9a2WG/tg76ciB3yFwFsqih4GDyUB1cSvfuqe fRUs5COFF7pa62gAPaN8SaJJ3EusRU/ifFToKml+c75LXCsyDUimUKtp6aeV6r6/ hheriXGpiPj2EuXpRe082bdOwBd4B9plrbo9jtRf2fuuKVGFrOsf9C1EdxLZlysu G2Jqjk89ioVFg56IyACnlwT52UM2Gj99JGYlZ3FZsIIrl90/HODQoEhKXPf4Xd87 sbsJjLiNTt245ZQIqh332unucOATJSK0dHrPzVoNCuBEAia/32GTsmZH3hnjZK1e UcW/JftZl6zk0yj9laXbfvkC -----END CERTIFICATE-----


#15

What information can I provide ?


#16

This is very confusing…
Can you provide a screenshot?


#17

screen shot is very log, Have copied contents to clip as reported in firefox browser

Try to explain I see three certificates by three times…

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

from browser

https://example.com.au/

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIID/jCCAuagAwIBAgICfAAwDQYJKoZIhvcNAQELBQAwgbMxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MRowGAYDVQQDDBEzZGNzdGFnaW5nLmNvbS5hdTElMCMGCSqGSIb3DQEJARYW
cm9vdEAzZGNzdGFnaW5nLmNvbS5hdTAeFw0xNzExMTUyMzUxMjVaFw0xODExMTUy
MzUxMjVaMIGzMQswCQYDVQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYD
VQQHDAhTb21lQ2l0eTEZMBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UE
CwwWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEaMBgGA1UEAwwRM2Rjc3RhZ2luZy5j
b20uYXUxJTAjBgkqhkiG9w0BCQEWFnJvb3RAM2Rjc3RhZ2luZy5jb20uYXUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTw7MPUtZC/tINz+O9AancbGbv
q2/2IFfoGFrg5HmS2hAVP0SKJF6bpi0Wxs7r4IGEqKvGVopUxzlcOEhgM+BhH5ad
BW5ihSFOtabBNR4ygHB3QqLVokBEEzqfs9qFJpHjsqCGuVT6DWC3ApeA+58+UvCV
ptzoQ97OG3gEtvnZRunKMw/vG4DddDvUzZVe2k6H1dXXeZLHzoRrbtcZMj3Of7NH
iCuLKa2V6nMBQLvcbsj7kczi0tuzWVq79eTDoxBkVvImy3ZrFfTXiCDBxGB9FQMw
KfYlAls6Atmjb6sFTWSx3MwcBIri45Fj8aEoAALc9w9/sUIE1ba38y9uYoCxAgMB
AAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBCwUAA4IB
AQA9rX2HK6gzMKrCUdZvsVkYh6rR9a2WG/tg76ciB3yFwFsqih4GDyUB1cSvfuqe
fRUs5COFF7pa62gAPaN8SaJJ3EusRU/ifFToKml+c75LXCsyDUimUKtp6aeV6r6/
hheriXGpiPj2EuXpRe082bdOwBd4B9plrbo9jtRf2fuuKVGFrOsf9C1EdxLZlysu
G2Jqjk89ioVFg56IyACnlwT52UM2Gj99JGYlZ3FZsIIrl90/HODQoEhKXPf4Xd87
sbsJjLiNTt245ZQIqh332unucOATJSK0dHrPzVoNCuBEAia/32GTsmZH3hnjZK1e
UcW/JftZl6zk0yj9laXbfvkC
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGITCCBQmgAwIBAgISA5g2wKGbO04V/XfqM6Sxq/2VMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA0MjcwMjEwMDhaFw0x
ODA3MjYwMjEwMDhaMBwxGjAYBgNVBAMTETNkY3N0YWdpbmcuY29tLmF1MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApPsWkcTONq5/0P5vx62vsdWIL24k
MqKVxeuwZC5AgoX3B+pCxpg+Pn32TWaO/bmBpR17feii3VEf7+y0ebneMRydtTod
cw/O4t4dbt7IzBvsUHqLbzBKeXRKIBw4lgh7APwAAdO+vxyaUPrDJ5ArS4AG2xUK
/lVoFrhT9ghzx70jIAML1/l2HdHbnpRndk9GxdqYr71FmhG34hEVEVDd623v3P1W
XSyrxjkh+OUC/xyAX6CpO30M6TIEIkqvevSeIWSpFST/56z6plgeht21jetcSweG
SGgEDfLE0xRwVXQ1gG1cbhCwMbrfLLe4gxQ0ki/ftVUyCnUCN7w41/4DhQIDAQAB
o4IDLTCCAykwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT/TLO/cdTqr/lfM8NIj9WL
npGU+jAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMDEGA1UdEQQqMCiCEyouM2Rjc3RhZ2luZy5jb20uYXWCETNkY3N0YWdp
bmcuY29tLmF1MIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEB
ATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasG
CCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxp
ZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5j
ZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9s
ZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wggEDBgorBgEEAdZ5AgQCBIH0BIHx
AO8AdgDbdK/uyynssf7KPnFtLOW5qrs294Rxg8ddnU83th+/ZAAAAWMFFFP9AAAE
AwBHMEUCIQD5GtdfvQ7xzMmCelpVvYZfJKBSkUFqREFUKQu+dhoXggIgX6zfrJ4s
97b0x5iWf8qx8tRPjeS8NjpSZm2S/YOr/3IAdQApPFGWVMg5ZbqqUPxYB9S3b79Y
eily3KTDDPTlRUf0eAAAAWMFFFQJAAAEAwBGMEQCIAe+ANjXsJE08dD7EhGLtv6y
2W2y2bdFW2Vy3lMP4OqXAiB05JKraZ6bsLKpGYUSgKFOhh7rXCEGUfO7J47UQWd+
2zANBgkqhkiG9w0BAQsFAAOCAQEAAo53/zD+e3r3C3s+r9wjdvS44q35DfZIhUgQ
xkHEGUWpnj1AQbCmEmrXFDyKGk+DTOAGmr7FydBExCQ8NJZ+6NRPsmnjVQcML7pJ
6PN124AA4hKCHYC76Jj8dYPw5TF6zlbrNA7paBns5tPTp8SoNMgkgkuHwJACWpjX
5j9Yl5d5fyXnq2yzViRIIIdKUEkKMk/2leMmHNYkbrwUzm4xTQk78nI41RFdv6GN
VmTIci5HGMKz11cuLYteC9TtA298y36wsG0tR8RhV8s7ov1+zP+zl4oLawx2z8yT
fv4RmgLccG65Y8tL7Pz4g9ad7eUVNHr1ijQ0FtiFB48WQ6v8YQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----


#18

This first cert is self-signed - not from LetsEncrypt.


#19

meaning that not an problem from from LE ?


#20

The list with 3 certs has the bad first cert (self-signed)
Followed by two good ones which is used without #1 should make your site work properly.

The question is how does the first cert get into the final file?
You need to review your scripts and see how the final cert gets built.