Wildcard cert fail

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: colmena.biz

I ran this command:

[root@rojo ~]# certbot certonly --dns-cloudflare -d *.abeja.colmena.biz --dns-cloudflare-credentials /root/certbot-creds.ini

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for *.abeja.colmena.biz
Performing the following challenges:
dns-01 challenge for abeja.colmena.biz
Starting new HTTPS connection (1): api.cloudflare.com
Cleaning up challenges
Starting new HTTPS connection (1): api.cloudflare.com
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.3.0)                                                                                                                   
[root@rojo ~]#

My web server is (include version): nginx.x86_64 1:1.20.1-10.el7 @epel

The operating system my web server runs on is (include version): CentOS 7.9

My hosting provider, if applicable, is: vpsserver

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

[root@rojo ~]# certbot --version
certbot 1.11.0
[root@rojo ~]#

You'll have to use the "Global API Key" authentication method as documented on Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation.

This is because EPEL7 doesn't have a new enough version of python2-cloudflare to support API Tokens.

You could alternatively try the Certbot snap or the pip instructions.

5 Likes

After following the pip instructions you posted and installing python3.6 stuff in /opt/ ...

So now this certificate will supposedly be good for e.g. https://justina.abeja.colmena.biz/ but NOT https://abeja.colmena.biz/ because I did not specifically request it for the base domain name without the wildcard.

What I obtained from Cloudflare is an Edit zone DNS API token with DNS:Edit permission on the domain "colmena.biz" -- not the Global API key which was unnecessary in this case.

[root@rojo ~]# certbot certonly -d *.abeja.colmena.biz --dns-cloudflare 
/opt/certbot/lib64/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
  from cryptography.hazmat.bindings.openssl.binding import Binding
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.6 support will be dropped in the next release of Certbot - please upgrade your Python version.
Requesting a certificate for *.abeja.colmena.biz
Input the path to your Cloudflare credentials INI file (Enter 'c' to cancel): /root/certbot-creds.ini
Waiting 10 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/abeja.colmena.biz/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/abeja.colmena.biz/privkey.pem
This certificate expires on 2023-02-20.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@rojo ~]#

Congrats!

3 Likes

I am using NGinx, which does not have a "nice" capability for "userpages" like Apache does, and php-fpm does not have a capability for "su-php" to lock down user permissions for scripts as far as I know, but something like this "works" for static html content on user pages with an appropriate regular expression to capture the username for a domain.

/etc/nginx/nginx.conf

server {
    server_name  ~^(?<abeja>[A-Za-z0-9-]+)\.abeja\.colmena\.biz$;
    root         /home/$abeja/public_html;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    error_page 404 /404.html;
    location = /404.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
listen [::]:443 ssl http2;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/abeja.colmena.biz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/abeja.colmena.biz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

Supplemental: here is a list of issued certificates crt.sh | colmena.biz, the latest being 2022-11-22 for *.abeja.colmena.biz.

And some helpful links for nginx community edition

  1. nginx documentation
  2. Community | NGINX
  3. https://forum.nginx.org/

And some helpful links for PHP

  1. PHP: Documentation
  2. PHP: PHP Manual - Manual
  3. PHP forum, your PHP coding community - Index page

Somebody ripped my credit card off and they complained I wasn't paying my bills there, so I was forced to discontinue that one.

This site can’t be reached

The webpage at crt.sh | colmena.biz might be temporarily down or it may have moved permanently to a new web address.

ERR_INVALID_RESPONSE

Try refreshing the web page.

Here is what I see

1 Like

Also I am not finding (that does not mean it does not exist, I likely have missed something)
the Authoritative Name Servers for the subdomain abeja.colmena.biz; I do find them for colmena.biz.

Domain names for issued certificates are all made public in Certificate Transparency logs.

Here is mine crt.sh | hp-67.com

1 Like

How is this relevant to this topic?