Wildcard cert on subdomain "Not secure"


#1

My domain is:
oldgamers.team

I ran this command:
DOMAIN=oldgamers.team && ./certbot-auto certonly --manual -d *.$DOMAIN -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/oldgamers.team.conf)

It contains these names: oldgamers.team

You requested these names for the new certificate: *.oldgamers.team,
oldgamers.team.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for oldgamers.team
dns-01 challenge for oldgamers.team


Please deploy a DNS TXT record under the name
_acme-challenge.oldgamers.team with the following value:

hoXlZvX6OrxL1nbWTODchQVAMDdI9K8pRRLKls6QH2Y

Before continuing, verify the record is deployed.


Press Enter to Continue


Please deploy a DNS TXT record under the name
_acme-challenge.oldgamers.team with the following value:

g77v47G9lFZKoxGdziqUhxKE4cC55PYSfC24aIC0J0M

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)


Press Enter to Continue
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/oldgamers.team/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/oldgamers.team/privkey.pem
    Your cert will expire on 2019-04-25. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version):
Server version: Apache/2.4.25 (Debian)
Server built: 2018-11-03T18:46:19

The operating system my web server runs on is (include version):
Debian 9.7

My hosting provider, if applicable, is:
OVH

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.30.2

The problem I’m having:
Chromium is reporting “Not secure” when I go to forum.oldgamers.team. Everything is fine if I go to oldgamers.team. I’m not sure if it makes a difference, but forum.oldgamers.team is a CNAME to oldgamers.team. I simply want to separate it as a VHOST in apache as I want the forum to be separate from the main web page.


#2

Tried re-opening the browser tab since installing the certificate? It works fine for me.

Could you take a screenshot of the issue? Is it a fatal “certiifcate not trusted” error, or a “this page has mixed content” address bar warning?


#3

Well, whattayaknow! You’re right. I guess the browser was caching old data or something. It’s working. Thanks so much for the test and reply!


#4

Hi @kteague

I see the same - the certificate is correct.

But you have an ipv6 address:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
forum.oldgamers.team C oldgamers.team yes 1 0
A 192.99.212.186 yes
AAAA 2607:5300:201:3100::38a8 yes

And your ipv6 has timeouts ( https://check-your-website.server-daten.de/?q=forum.oldgamers.team ) :

Domainname Http-Status redirect Sec. G
http://forum.oldgamers.team/
192.99.212.186 302 https://forum.oldgamers.team/ 0.216 A
http://forum.oldgamers.team/
2607:5300:201:3100::38a8 -14 10.026 T
Timeout - The operation has timed out
https://forum.oldgamers.team/
192.99.212.186 302 https://forum.oldgamers.team/install/app.php 2.150 B
https://forum.oldgamers.team/
2607:5300:201:3100::38a8 -14 10.027 T
Timeout - The operation has timed out
https://forum.oldgamers.team/install/app.php -14 10.027 T
Timeout - The operation has timed out

So

  • remove the ipv6 address in your dns (not really good) or
  • check your config if ipv6 is configured and if there is no firewall or something else that blocks

If a user or a search engine comes via ipv6, your forum is invisible.


#5

Good catch, JuergenAuer. Investigating this now.


#6

Fixed! Thanks so much, friends!


closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.