Wild certificate for two domains

I have successfully issued a wildcard certificate for my domain, hosting a WordPress Multisite network. I have added the TXT records for the acme challenge, the certificate has been issued and all sites are showing up. So far, so good.

Now I have the need to add sites pertaining to a different domain for which I was trying to issue a wildcard certificate for two domains. The already existing domain and the new one.

sudo certbot certonly --manual --preferred-challenges=dns --email email@domain.com --server https://acme-v02.api.letsencrypt.org/directory -d *.domain.com -d *.domain.eu

Certbot has asked me to create two new TXT records for domain.eu which I have and certbot replies that everything is OK

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/domain.com-0003/fullchain.pem
Key is saved at: /etc/letsencrypt/live/domain.com-0003/privkey.pem
This certificate expires on 2021-09-04.

I have updated sites-enabled/default-ssl.conf to point at the newly created certificates, restarted apache and I have managed to successfully break the entire WordPress network.

Any idea what am I missing?

1 Like

Nothing. Without any real reference provided, you are on your own to treasury hunt!

1 Like

What do you mean "real reference"?

For site-specific issues like this, please at least provide your domain name? and maybe the error messages or how the certificate break the entire WordPress network?

That didn't seem to bother you much here so I will wait for somebody else to provide some valuable insight rather than criticism.

As for the error message, none from the certificates. As I mentioned, it says "Successfully received certificate" but when I try to access any WordPress site (be that the main site or a subdomain site), it says NET::ERR_CERT_COMMON_NAME_INVALID on Chrome.

Welcome to the Let's Encrypt Community, Alvaro :slightly_smiling_face:

Did you reload your webserver afterwards?

Yes, I issued a sudo service apache2 restart command that showed no error.

In the thread you're referring to a very generic question is asked. That question was more like "Is rain wet?" and @stevenzhu answerd with "Yes, rain is actually water, so it is wet.".

However, you're asking us a very specific question about your specific site. And without details it's very hard to answer any insightfull answer.

Also, when opening a new thread in the #help section, you should have been provided with the following questionnaire:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Please answer all the questions to get proper help.

1 Like

The -0003 is a telltale sign of certificate management issues.

What is the output of this command?

sudo certbot certificates

In regards to obscuring your domain name, if it makes you more comfortable, that's fine, but it will make helping more difficult since we can't use many of our tools.

Thanks, Osiris. Unfortunately, I am now allowed to disclose the name of the domains. They are indeed the same name with different TLD:

I'm assuming "now" is a typo and you meant "not", looking at the "unfortunately". You do know all certificates issued by Let's Encrypt are submitted to certificate logs where they are publically searchable?

I see what you mean by certificate management issues.
Would it be better to discard this server (it's a sandbox anyway) and create a new one with the two wildcard certificates issued the very first time?
As for the output, see below.

Found the following certs:
Certificate Name: domain.com-0001
Serial Number: 32b...a46
Key Type: RSA
Domains: domain.com domain.eu
Expiry Date: 2021-09-04 16:56:57+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.com-0001/privkey.pem
Certificate Name: domain.com-0002
Serial Number: 384e...576
Key Type: RSA
Domains: *.domain.com domain.eu
Expiry Date: 2021-09-04 16:59:08+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.com-0002/privkey.pem
Certificate Name: domain.com-0003
Serial Number: 3da...760
Key Type: RSA
Domains: *.domain.com *.domain.eu
Expiry Date: 2021-09-04 17:09:51+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.com-0003/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.com-0003/privkey.pem
Certificate Name: domain.com
Serial Number: 35e...897
Key Type: RSA
Domains: domain.com *.domain.com domain.eu
Expiry Date: 2021-09-04 16:56:28+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.com/privkey.pem

1 Like

Are both the .com and .eu hosted on the same webserver?

Yes, I know they are publically searchable. Digicert has one of those in their website, amid many other.
But imagine the certificates being *.facebook-dev.com *.facebook-dev.eu
That would raise a lot of eyebrows as to why FB would be splitting their network.
Similar happens here where the brand behind this sandbox does not want their name revealed.
And yes, I meant I am NOT allowed. Thanks :slight_smile:

Yes, Sir. They are on the same webserver (a VM instance on GCP running Debian Stretch + PHP 7.4 + MySQL 5.7)

1 Like

I'm missing the one certificate covering all four hostnames:

sudo certbot certonly --manual --preferred-challenges=dns --email email@domain.com --server https://acme-v02.api.letsencrypt.org/directory -d domain.com -d *.domain.com -d domain.eu -d *.domain.eu

Although that would mean every visitor to one of the sites could look at the cert and see the other TLD too. Although your current certificates also have that issue already, but are incomplete.

1 Like
  1. Make certain that all of the certificate references in your apache configuration refer to /etc/letsencrypt/live/domain.com/ and not something with -xxxx.

  2. Get the correct certificate.

sudo certbot certonly --cert-name domain.com --manual --preferred-challenges dns -d "domain.com,*.domain.com,domain.eu,*.domain.eu"

  1. Reload apache.

sudo apachectl -k graceful

  1. Delete the old certificates.
sudo certbot delete --cert-name domain.com-0001
sudo certbot delete --cert-name domain.com-0002
sudo certbot delete --cert-name domain.com-0003
  1. Research DNS plugins to automate acquisition of your certificate. Be sure to include --deploy-hook "apachectl -k graceful" to automatically reload apache after certificate acquisition.

  2. Enjoy your peace of mind. :sunglasses:

Your entire certificate history can be found be searching on https://crt.sh if you want to cross-reference with what you have.

I will check and report back, prolly later today if not tomorrow.
Thanks all for your time.

1 Like

This is for a retail chain shop and so far they have decided to keep each part of the business in different countries so there is no need to issue certificates for the two domains at once.
GDPR and CCPA are partially responsible for this.
Thanks anyway @griffin and @Osiris for your valuable insight on the topic.

Ok, so you want the following two certs?

  1. domain.com, *.domain.com
  2. domain.eu, *.domain.eu