What the hell did I do wrong? Adding New Domain


#1

Y’all, it’s been a while since I setup my cert. And, I added a domain a while back but now I’m going bonkers trying to figure out how to do it correctly.

I have two SSLs working great at nerdlouisville.org and pfaff.blog (yes, I’m a nerd). I’m trying to add a new domain and I’m screwing it all up.

For whatever reason, I’m adding the following:

ls /etc/letsencrypt/live
nerdlouisville.org nerdlouisville.org-0001 pfaff.blog

Instead of the new domain I’m trying to add (see below).

My new domain is: louisvilledungeonmaster.com

I ran this command: :/etc/letsencrypt# letsencrypt certonly --expand -d nerdlouisville.org -d pfaff.blog -d louisvilledungeonmaster.com

It produced this output: IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/nerdlouisville.org-0001/fullchain.pem. Your
    cert will expire on 2019-03-19. To obtain a new version of the
    certificate in the future, simply run Let’s Encrypt again.

  • If you like Let’s Encrypt, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): nginx version: nginx/1.10.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Any help would be greatly appreciated. I do this like once every other year. I promise to take notes this time for next time.

THANK YOU!


#2

You could try specify

--cert-name nerdlouisville.org

to specify which existing certificate it should be expanding.

Once they’re all consolidated, you can remove the other two.

letsencrypt delete --cert-name <cert-to-delete>

#3

Thanks for the quick reply. Can you explain what would be happening if I ran --cert-name nerdlouisville.org?

That consolidates all the certs into one?


#4

I think if you run:

letsencrypt certificates

you should be able to see what’s going on a little bit more clearly.

You did issue a certificate for your new domain, it’s just that the certificate is identified by a name other than louisvilledungeonmaster.com.

Once you see that you have 3 different certificates that more or less overlap in their coverage, you can then act to consolidate them into a single certificate (or do nothing and use your certificates as-is, it’s up to you :stuck_out_tongue: )


#5

I appreciate the help!

Yeah, I wouldn’t mind consolidating if that makes things cleaner. Still confused why it named it something other than the domain I requested.

In any case, I’m getting an error when I try to run that.

letsencrypt: error: unrecognized arguments: certificates


#6

Weird. You must have a really ancient version of Certbot:

letsencrypt --version

It’s because:

When you ran this, it meant, “create a certificate that is valid for these three domains”. The certificate took the first domain in the command as its primary name.

You could point your new domain at the /etc/letsencrypt/live/nerdlouisville.org-0001/fullchain.pem certificate and it should be totally valid, without you doing anything further.


#7

I told you it’s been a while! :smile:

letsencrypt 0.4.1

Guessing I should update this?

I see. That clarification makes sense.


#8

Wow! I don’t think I’ve seen anybody using a version this old ever. Here you go: https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx (edit: gave you the wrong link, here’s the one for nginx)

It’ll be compatible with your existing certificates/setup (but you’ll have to type certbot instead of letsencrypt).


#9

Haha. Let me update really quickly. :smile:


#10

Updated. Output of letsencrypt certificates is:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: nerdlouisville.org
Domains: community.nerdlouisville.org nerdlouisville.com nerdlouisville.org nerdlouvia.com www.nerdlouisville.com www.nerdlouisville.org www.nerdlouvia.com
Expiry Date: 2019-03-05 03:28:15+00:00 (VALID: 75 days)
Certificate Path: /etc/letsencrypt/live/nerdlouisville.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nerdlouisville.org/privkey.pem
Certificate Name: pfaff.blog
Domains: pfaff.blog www.pfaff.blog
Expiry Date: 2019-02-15 03:28:07+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/pfaff.blog/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pfaff.blog/privkey.pem
Certificate Name: nerdlouisville.org-0001
Domains: louisvilledungeonmaster.com community.nerdlouisville.org nerdlouisville.com nerdlouisville.org nerdlouvia.com pfaff.blog www.louisvilledungeonmaster.com www.nerdlouisville.org www.nerdlouvia.com www.pfaff.blog
Expiry Date: 2019-03-19 04:29:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/nerdlouisville.org-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nerdlouisville.org-0001/privkey.pem


#11

So if you want, you could just use this certificate, and ignore/remove the other two.

Because it is a strict superset of the other certificates.


#12

So, if I’m understanding this correctly: That final certificate is the only one I really need. And, if I update my server blocks to that path, all of the sites should be good to go?

Edit: Ninja’d. Got it! This is excellent!


#13

One final question since I have you. And, truly, I appreciate this help. It’s been fantastic.

The next time I want to add a domain to this cert, what’s the best way to do that WITHOUT creating yet another one?


#14

I believe that --cert-name <name> should do the trick to update an existing certificate (as identified by its name in letsencrypt certificates).


#15

Looks like all my sites are working great except one. Getting this error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] SSL_CTX_load_verify_locations("/etc/letsencrypt/live/nerdlouisville.org/chain.pem") failed (SSL: error:02001002:system library: fopen:No such file or directory:fopen(’/etc/letsencrypt/live/nerdlouisville.org/chain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no su ch file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] SSL_CTX_load_verify_locations(" /etc/letsencrypt/live/nerdlouisville.org/chain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/l etsencrypt/live/nerdlouisville.org/chain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate ro utines:X509_load_cert_crl_file:system lib)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’,)
root@lemp-1gb-nyc3-01:~# nginx -t
nginx: [emerg] SSL_CTX_load_verify_locations("/etc/letsencrypt/live/nerdlouisville.org/chain.pem") failed (SSL: error:02001002:system library: fopen:No such file or directory:fopen(’/etc/letsencrypt/live/nerdlouisville.org/chain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no su ch file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

Think it has to do with switching up the certs?


#16

Just update this reference in the nginx config to the -0001 one (and any others).

grep -Ri ssl_certificate /etc/nginx

#17

Fixed that. Getting an error when I run nginx -t:

nginx: [warn] conflicting server name "nerdlouisville.org" on 0.0.0.0:443, ignored


#18

Not a fatal error or related to your certificates. Just seems like you have two server blocks, bound to the same port & address, with a duplicate server_name.


#19

Yeah, it’s not letting me restart nginx now.

– Defined-By: systemd
– Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

– Unit nginx.service has begun starting up.
Dec 19 05:59:19 lemp-1gb-nyc3-01 nginx[26262]: nginx: [warn] conflicting server name “nerdlouisville.org” on 0.0.0.0:443, ignored
Dec 19 05:59:19 lemp-1gb-nyc3-01 nginx[26266]: nginx: [warn] conflicting server name “nerdlouisville.org” on 0.0.0.0:443, ignored
Dec 19 05:59:19 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 19 05:59:19 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 19 05:59:19 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 19 05:59:19 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
Dec 19 05:59:20 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 19 05:59:20 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 19 05:59:20 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 19 05:59:20 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
Dec 19 05:59:20 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 19 05:59:20 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 19 05:59:20 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 19 05:59:20 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
Dec 19 05:59:21 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 19 05:59:21 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 19 05:59:21 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 19 05:59:21 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
Dec 19 05:59:21 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 19 05:59:21 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 19 05:59:21 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 19 05:59:21 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
Dec 19 05:59:22 lemp-1gb-nyc3-01 nginx[26266]: nginx: [emerg] still could not bind()
Dec 19 05:59:22 lemp-1gb-nyc3-01 systemd[1]: nginx.service: Control process exited, code=exited status=1
Dec 19 05:59:22 lemp-1gb-nyc3-01 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
– Subject: Unit nginx.service has failed
– Defined-By: systemd
– Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

– Unit nginx.service has failed.

– The result is failed.
Dec 19 05:59:22 lemp-1gb-nyc3-01 systemd[1]: nginx.service: Unit entered failed state.
Dec 19 05:59:22 lemp-1gb-nyc3-01 systemd[1]: nginx.service: Failed with result ‘exit-code’.
Dec 19 05:59:24 lemp-1gb-nyc3-01 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=ea:a0:d3:08:97:64:84:b5:9c:f9:08:30:08:00 SRC=199.66.90.126 DST=104.131.95.220 LEN=40 TOS=0x00 PR
Dec 19 05:59:29 lemp-1gb-nyc3-01 sshd[26271]: Invalid user libsys from 86.20.97.248
Dec 19 05:59:29 lemp-1gb-nyc3-01 sshd[26271]: input_userauth_request: invalid user libsys [preauth]
Dec 19 05:59:29 lemp-1gb-nyc3-01 sshd[26271]: pam_unix(sshd:auth): check pass; user unknown
Dec 19 05:59:29 lemp-1gb-nyc3-01 sshd[26271]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=86.20.97.248
Dec 19 05:59:31 lemp-1gb-nyc3-01 sshd[26271]: Failed password for invalid user libsys from 86.20.97.248 port 35170 ssh2


#20

And, causing that one site to still not work. Hmmm.