I have successfully issued a wildcard certificate for my domain, hosting a WordPress Multisite network. I have added the TXT records for the acme challenge, the certificate has been issued and all sites are showing up. So far, so good.
Now I have the need to add sites pertaining to a different domain for which I was trying to issue a wildcard certificate for two domains. The already existing domain and the new one.
Certbot has asked me to create two new TXT records for domain.eu which I have and certbot replies that everything is OK
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/domain.com-0003/fullchain.pem
Key is saved at: /etc/letsencrypt/live/domain.com-0003/privkey.pem
This certificate expires on 2021-09-04.
I have updated sites-enabled/default-ssl.conf to point at the newly created certificates, restarted apache and I have managed to successfully break the entire WordPress network.
For site-specific issues like this, please at least provide your domain name? and maybe the error messages or how the certificate break the entire WordPress network?
That didn't seem to bother you much here so I will wait for somebody else to provide some valuable insight rather than criticism.
As for the error message, none from the certificates. As I mentioned, it says "Successfully received certificate" but when I try to access any WordPress site (be that the main site or a subdomain site), it says NET::ERR_CERT_COMMON_NAME_INVALID on Chrome.
In the thread you're referring to a very generic question is asked. That question was more like "Is rain wet?" and @stevenzhu answerd with "Yes, rain is actually water, so it is wet.".
However, you're asking us a very specific question about your specific site. And without details it's very hard to answer any insightfull answer.
Also, when opening a new thread in the Help section, you should have been provided with the following questionnaire:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Please answer all the questions to get proper help.
The -0003 is a telltale sign of certificate management issues.
What is the output of this command?
sudo certbot certificates
In regards to obscuring your domain name, if it makes you more comfortable, that's fine, but it will make helping more difficult since we can't use many of our tools.
I'm assuming "now" is a typo and you meant "not", looking at the "unfortunately". You do know all certificates issued by Let's Encrypt are submitted to certificate logs where they are publically searchable?
I see what you mean by certificate management issues.
Would it be better to discard this server (it's a sandbox anyway) and create a new one with the two wildcard certificates issued the very first time?
As for the output, see below.
Yes, I know they are publically searchable. Digicert has one of those in their website, amid many other.
But imagine the certificates being *.facebook-dev.com *.facebook-dev.eu
That would raise a lot of eyebrows as to why FB would be splitting their network.
Similar happens here where the brand behind this sandbox does not want their name revealed.
And yes, I meant I am NOT allowed. Thanks
Although that would mean every visitor to one of the sites could look at the cert and see the other TLD too. Although your current certificates also have that issue already, but are incomplete.
Make certain that all of the certificate references in your apache configuration refer to /etc/letsencrypt/live/domain.com/ and not something with -xxxx.
Get the correct certificate.
sudo certbot certonly --cert-name domain.com --manual --preferred-challenges dns -d "domain.com,*.domain.com,domain.eu,*.domain.eu"
Research DNS plugins to automate acquisition of your certificate. Be sure to include --deploy-hook "apachectl -k graceful" to automatically reload apache after certificate acquisition.
Enjoy your peace of mind.
Your entire certificate history can be found be searching on https://crt.sh if you want to cross-reference with what you have.
This is for a retail chain shop and so far they have decided to keep each part of the business in different countries so there is no need to issue certificates for the two domains at once.
GDPR and CCPA are partially responsible for this.
Thanks anyway @griffin and @Osiris for your valuable insight on the topic.
