Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: theowanwindow.com. Kasdivi.com
I ran this command:
It produced this output:
My web server is (include version):apache24
The operating system my web server runs on is (include version):
FreeBSD 14.1
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):3.0.1
You can see that I have been struggling for some time with SL/TLS. It is mostly self inflicted . Lete me explain one I am trying to do (far more modest then I have tried in the past).
The situation have a leased server with 3 IPs Available, My goal is to run to two domains (kasdivi.com and theoceanwindow.com). Each domain will have several sub-domains (mail and www at the minimum). I am runing Dovecot, Apache and Postfix The original guide ai follows was purplehat.org What I think I want (but I can be wrong as shown from my other comments). is the ability to have one certficate that will cover both domains and their sub domains. From my current research it would appear that using a wildcard certificate wouldjand one domain with unlimited sub domains. but cant find or am looking for the wrong thing for a way to handle two domains hosted on same server. Is this even possible?
Probably because it's no different from a single domain, you'd just add -d flags for each domain you want. So it'd be something like (assuming you're using Cloudflare for DNS; you'd need to adjust otherwise) certbot certonly --dns-cloudflare -d kasdivi.com -d "*.kasdivi.com" -d theoceanwindow.com -d "*.theoceanwindow.com".
Because you're asking for wildcard certs, you'd need to use DNS validation to get them. And the wildcards need to be in quotes because otherwise your shell is likely to misinterpret them.
5 Likes
And there's no need for a wildcard even with multiple subdomains. It may make some things easier, but it might make things harder too. Let's Encrypt offers up to 100 names on one certificate, though generally I'd recommend splitting things out to multiple certificates before you get to that point. But having one certificate with a www, mail, and maybe-something-else subdomains, for each of two or three main domains, is well within what can make sense for one certificate.
3 Likes
I use bind on my home server for DNS
And that's the authoritative nameserver for those domains? That's the nameserver that the rest of the world queries? If that's the case, you'll need to configure certbot to update that. This might be helpful in that regard:
See also:
3 Likes
so in your example. I would essentially do something like
Blockquote certbot certonly --d kasdivi.com -d mail.kasdivi.com -d www.kasdivi.com -d theoceanwindow.com -d mail.theoceanwindow.com -d www.theoceanwindow.com
Yes it is the authoritative nameserver. Thanks for the links but I have to figure them out for FreeBSD. Did find this about that
Let’s Encrypt offers Domain Validation (DV) certificates.
Thus you need to own and have control over the Domain Name (or have a subdomain under an existing domain name, for example pointed to your server by your employer or school) you wish to obtain a certificate for, from an ICANN Accredited Registrar.
Since these are Domain Validation (DV) certificates the Domain Name System (DNS) is used extensively in the validation process as well a allowing us to assist here on Let's Encrypt community.
DNS Queries need to give consistent results from any location on the Internet, all your authoritative DNS Servers for the Domain need to also give consistent results as well.
Testing and debugging are best done using the Staging Environment.
And to assist with debugging there is a great place to start is Let's Debug.
Presently there are no name servers shown here:
There are name servers for this domain shown here:
And ICANN doesn't know of this domain name.
ICANN does know if this domain name.
I have total control as it my server. I have been working in this or two weeks and have massacred theoeanwindow.com, and the blood shed has been promulgated. also you had a typo. its theoceanwindow.com. not theowanwindow.com but the correct spelling is dead too
ahh glad to be of a service. Sorry about that fat finger bad eyes
Best Practice - Keep Port 80 Open
If you are using the HTTP-01 challenge Port 80 access is MUST. It states "The HTTP-01 challenge can only be done on port 80."
Port 80 and 443 are NOT accessible from the Internet for this domain.
$ nmap -Pn -p80,443 theoceanwindow.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-03 16:32 UTC
Nmap scan report for theoceanwindow.com (209.160.64.133)
Host is up.
rDNS record for 209.160.64.133: triggerfish.theoceanwindow.com
PORT STATE SERVICE
80/tcp filtered http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 3.47 seconds
Port 80 and 443 are accessible from the Internet for this domain.
$ nmap -Pn -p80,443 Kasdivi.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-03 16:32 UTC
Nmap scan report for Kasdivi.com (209.160.65.133)
Host is up (0.073s latency).
rDNS record for 209.160.65.133: kasdivi.com
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
like I said I really massacred this. I am working on the port 800 issue
Consider working one domain name at a time, get it working and then add the next.
my issue appears tp be in the certificate whih
There looks like 2 different ip being used,
use separate certs maybe?
is the host name of my server
I am still working on getting port 80 open
Fat fingers. corrected DNS record to read 209.160.65.133. I messed that up when I was changing IPs in response to one of the suggestion. Port 80 up 443 to follow
Ok I tried what I though would work Produced a cart and key I ran certbot certificates and Gott the following cert
Found the following certs:
Certificate Name: kasdivi.com
Serial Number: 685744b436c78114066ca3f0f8d0a979b30
Key Type: ECDSA
Domains: kasdivi.com mail.kasdivi.com mail.theoceanwindow.com theoceanwindow.com www.kasdivi.com www.theoceanwindow.com
Expiry Date: 2025-08-02 15:45:37+00:00 (VALID: 89 days)
Certificate Path: /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pem
ok I can send email but can not receive with the following error
warning: Wrapper-mode request dropped from c-69-142-122-175.hsd1.nj.comcast.net[69.142.122.175] for service submissions. TLS context initialization failed. Blockquote
I tried a tis test and got this
SSL checks have no problem with any server.. So I guess something in dovecot? (ham running postfix and dovecot)? OK I also get this error my mail log
warning: cannot get RSA private key from file "/usr/local/etc/letsencrypt/live/kasdivi.com/privkey.key"
