Wildcard certificate does not work

mario26 · December 3, 2018, 12:10am

Hello,

I use Ubuntu 18.04 with Nginx, i would like to configure a wildcard certificate because i want to use several subdomains.

I already have make some tests, i read a lot of documentation before arriving here…

I can generate my wildcard certificate like this:

certbot certonly --agree-tos --email contact@exemple.com --server https://acme-v02.api.letsencrypt.org/directory --manual -d *.exemple.com exemple.com

It works :

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/exemple.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/exemple.com/privkey.pem
   Your cert will expire on 2019-03-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I also used various methods to generate the key and almost all have succeeded.

But, this does not work on the site, only “example.com” and “www.example.com” are supported by the SSL certificate despite several restart of the Nginx server.

I wonder if it can come from the server?

Here is the vhost:

server {
	listen 80;
	listen [::]:80;
    server_name *.exemple.com exemple.com;
   
	include /var/www/snippets/letsencrypt.conf;
	
	#Force SSL
	#return 301 https://$host$request_uri;

	root /var/www/html/;
    	index index.php;
    
    	error_log /var/log/nginx/local_error.log;
	access_log /var/log/nginx/local_access.log;

    	client_max_body_size 100M;

    	location / {
        	try_files $uri $uri/ /index.php?$args;        
    	}

	location ~ \.php$ {
        	fastcgi_pass php:9000;
        	include fastcgi_params;
        	fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        	fastcgi_param DOCUMENT_ROOT $realpath_root;
	}
}

server {
	listen 443 ssl http2;
    server_name *.exemple.com exemple.com;
   
	root /var/www/html/;
	index index.php;
    
   	ssl_certificate /etc/letsencrypt/live/exemple.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/exemple.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/exemple.com/chain.pem;

	include /var/www/snippets/ssl.conf;
	include /var/www/snippets/letsencrypt.conf;
	
	error_log /var/log/nginx/local_error.log;
	access_log /var/log/nginx/local_access.log;

    location / {
        	try_files $uri $uri/ /index.php?$args;        
   	 }

	location ~ \.php$ {
        	fastcgi_pass php:9000;
        	include fastcgi_params;
        	fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        	fastcgi_param DOCUMENT_ROOT $realpath_root;
	}
}

Here is the SSL configuration:

ssl_dhparam /var/www/snippets/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

I do not have any errors in the logs, the certificates seem correct, but i am restricted to “example.com” and “www.example.com”…

For the curious, you can try the site here: https://www.devosi.pro/index.html (I will remove the link once the subject resolves)

Thank you for your help !

rg305 · December 3, 2018, 12:16am

Should be:
-d "*.exemple.com" -d exemple.com

You can review the names in the cert with:
openssl x509 -in /etc/letsencrypt/live/exemple.com/cert.pem -text -noout
Look below "...Subject Aleternative Name:"

mario26 · December 3, 2018, 12:23am

I used also, the certificate is generated in this way too, but i have the same problem...

This command does not work...

mario26 · December 3, 2018, 12:25am

Nop sorry:
Invalid command 'x590'; type "help" for a list.

mario26 · December 3, 2018, 12:27am

Nop : ^^
Invalid command ‘x509-in’; type “help” for a list.

mario26 · December 3, 2018, 12:29am

Oops sorry !

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:00:05:74:c0:cc:0e:c8:e3:5a:58:71:3a:6d:09:7f:2f:29
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Dec  2 22:22:36 2018 GMT
            Not After : Mar  2 22:22:36 2019 GMT
        Subject: CN = *.devosi.pro
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c6:ef:87:c4:fd:bc:13:8a:39:14:19:d8:31:9d:
                    6d:57:34:3a:31:b9:52:d0:b6:2d:1b:a4:4e:d0:63:
                    1f:7d:b0:c8:14:4c:d8:bf:c7:02:24:1f:3c:c3:20:
                    17:bf:ce:76:81:19:6f:7c:0f:6b:f5:9d:4d:94:68:
                    e0:b5:6e:27:54:a5:75:ed:41:4a:f1:6c:c7:cc:37:
                    5a:00:44:44:a7:22:fa:46:51:a7:f0:64:65:e8:16:
                    2f:97:b1:a6:5c:64:f3:07:c0:d2:dc:f8:64:39:fd:
                    f3:88:1d:a8:2a:63:94:0e:84:13:bf:b8:1a:7c:88:
                    ef:4c:e6:0b:c0:67:4b:ad:54:48:a2:ce:4d:5d:1b:
                    21:a0:b9:21:73:09:6a:6d:7f:bd:7e:19:9b:ea:87:
                    84:51:0f:6e:81:4c:50:95:65:75:06:27:42:72:48:
                    51:9f:be:74:a3:80:65:34:3d:87:66:2d:16:0c:69:
                    7a:a5:eb:1f:b5:25:4d:1e:20:13:c4:99:98:85:c5:
                    f9:12:e8:4d:e2:b4:52:9a:ad:3a:8e:3d:9d:f9:02:
                    b4:2a:42:41:e5:0e:da:b2:b7:33:26:e7:e4:35:07:
                    93:a1:b6:82:1b:f7:92:30:76:8e:48:00:15:d5:3e:
                    54:49:d3:50:84:55:d0:09:4e:ae:9d:f3:be:7d:38:
                    74:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                88:29:A8:FB:9F:17:AD:FA:12:64:CB:3B:9B:2B:9A:55:AC:ED:3E:DB
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:*.devosi.pro, DNS:devosi.pro
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
                                C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
                    Timestamp : Dec  2 23:22:36.404 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:BF:21:86:0B:A3:B1:35:CE:89:A5:F5:
                                31:02:43:B0:D2:67:BD:68:0D:F7:8C:48:A4:24:5D:09:
                                6C:29:48:E5:9E:02:21:00:B9:4A:60:3B:48:62:D3:DA:
                                04:12:44:81:DE:46:66:99:A1:0D:11:CC:81:18:49:AD:
                                A2:2F:EC:FF:DD:72:20:AE
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                                A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                    Timestamp : Dec  2 23:22:36.506 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:44:FD:22:FB:FE:68:04:ED:7E:42:7F:BA:
                                AC:64:0D:F6:49:C7:23:16:22:CA:0A:BB:81:5E:BC:21:
                                75:46:7A:BE:02:20:1B:B5:61:01:26:5C:D2:DC:BD:13:
                                96:C7:F5:89:EA:C7:B6:58:D1:13:C4:E0:EC:11:01:4C:
                                15:68:63:64:54:2B
    Signature Algorithm: sha256WithRSAEncryption
         11:bc:55:af:31:95:3c:98:c0:dd:f2:bb:6b:6d:ca:b9:d8:14:
         2b:59:b2:db:f9:0b:ce:40:7a:9e:03:53:71:84:6f:ba:57:60:
         6e:48:58:00:94:5f:1e:69:c6:78:6d:48:00:8e:7c:79:e3:93:
         e9:69:9e:de:32:76:73:38:17:43:1a:91:6f:28:a9:2c:95:a9:
         49:ee:bc:b6:db:e1:86:27:c7:70:96:43:d4:9f:6f:94:4d:17:
         59:9b:f7:cb:f8:d4:30:a0:e2:97:5e:2e:74:3d:b6:62:8d:d4:
         77:19:fe:4b:4c:9f:0b:45:ef:12:16:c8:ca:cd:13:2c:a6:8f:
         c3:09:74:07:90:31:f7:5f:6d:1c:f8:01:b4:49:48:86:8a:e2:
         60:28:f5:29:19:46:b3:a1:01:68:d3:a6:1e:91:77:21:c5:02:
         36:9b:f8:e2:4c:0b:f4:ea:52:ea:6e:37:d1:d1:10:85:27:a1:
         b2:a3:38:10:23:21:30:2d:d3:db:73:ad:21:59:c2:31:60:67:
         d3:04:ec:9c:4f:bf:58:2c:bd:b8:aa:c0:e6:f9:1f:06:7d:67:
         44:79:84:09:58:1c:ce:fd:80:28:c8:f1:19:0a:b1:de:6c:ac:
         32:5b:b6:46:85:1d:d4:e9:28:b7:ce:be:8c:c1:2b:33:b9:46:
         d7:b0:0f:ca

rg305 · December 3, 2018, 12:30am

Well you have the cert to cover "all" the names you need.
Now you need to use them.
What do your vhost config files look like?
And what does your DNS zone look like?

For instance:
If you want to use: blog.example.com
Then you need it to resolve in DNS to your IP and you will need a vhost config for "servername blog.example.com"

mario26 · December 3, 2018, 12:35am

My vhost :

server {
	listen 80;
	listen [::]:80;
    server_name *.exemple.com exemple.com;
   
	include /var/www/snippets/letsencrypt.conf;
	
	#Force SSL
	#return 301 https://$host$request_uri;

	root /var/www/html/;
    	index index.php;
    
    	error_log /var/log/nginx/local_error.log;
	access_log /var/log/nginx/local_access.log;

    	client_max_body_size 100M;

    	location / {
        	try_files $uri $uri/ /index.php?$args;        
    	}

location ~ \.php$ {
    	fastcgi_pass php:9000;
    	include fastcgi_params;
    	fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    	fastcgi_param DOCUMENT_ROOT $realpath_root;
}

}

server {
listen 443 ssl http2;
server_name *.exemple.com exemple.com;

root /var/www/html/;
index index.php;

ssl_certificate /etc/letsencrypt/live/exemple.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/exemple.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/exemple.com/chain.pem;

include /var/www/snippets/ssl.conf;
include /var/www/snippets/letsencrypt.conf;

error_log /var/log/nginx/local_error.log;
access_log /var/log/nginx/local_access.log;

location / {
    	try_files $uri $uri/ /index.php?$args;        
 }

location ~ \.php$ {
    	fastcgi_pass php:9000;
    	include fastcgi_params;
    	fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    	fastcgi_param DOCUMENT_ROOT $realpath_root;
}

}

My DNS:

* 600 IN A 8.190.20.36
@ 600 IN A 8.190.20.36
@ 600 IN MX 10 mx1.exemple.com.
@ 600 IN MX 30 mx4.exemple.com.
_acme-challenge 300 IN TXT "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
_acme-challenge 300 IN TXT "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

rg305 · December 3, 2018, 12:37am

Form that, all names should go to:

Is that NOT happening?
I get 403 forbidden for all names.

mario26 · December 3, 2018, 12:39am

Yes all names should go to root /var/www/html/
I get “SSL_ERROR_BAD_CERT_DOMAIN” for all names for my…

rg305 · December 3, 2018, 12:40am

Somehow different certs are being used…

Show:
grep -Eri 'ssl_cert|server_name' /etc/nginx/

mario26 · December 3, 2018, 12:41am

This is a test page you need to enter the url with the index.html: https://www.devosi.pro/index.html

grep -Eri 'ssl_cert|server_name' /etc/nginx/

|/etc/nginx/conf.d/defaul.conf:    |server_name *.exemple.com exemple.com;|
|---|---|
|/etc/nginx/conf.d/default.conf:    |server_name *.exemple.com exemple.com;|
|/etc/nginx/conf.d/default.conf:   |ssl_certificate /etc/letsencrypt/live/exemple.com/fullchain.pem;|
|/etc/nginx/conf.d/default.conf:|ssl_certificate_key /etc/letsencrypt/live/exemple.com/privkey.pem;|

mario26 · December 3, 2018, 12:49am

Normally, this example URL should work: https://toto.devosi.pro/index.html

But this is not the case …

only “www.example.com” and “example.com” work.

rg305 · December 3, 2018, 12:50am

Something doesn’t add up.
I see this cert at the root:

And this one for all longer names:

Neither of which have the wildcard entry.

rg305 · December 3, 2018, 12:55am

Maybe try it without certonly
Or maybe you just need to restart Apache?

mario26 · December 3, 2018, 1:10am

I execute this command for another domain name:

certbot certonly --staging --agree-tos --email contact@exemple.org --webroot -w /var/www/letsencrypt/ -d exemple.org -d www.exemple.org -d mail.exemple.org -d chat.exemple.org -d pubsub.exemple.org

That corespond to your first capture, will it be the problem? I did not make a wildcard for this one…

I do not use Apache but Nginx and i have already restarted several times…

rg305 · December 3, 2018, 1:20am

Niether cert was form the staging environment.
But the names do seem to match up to the ones in the first cert.

I don't understand how you are serving multiple certs from a single vhost file...
Please show the /etc/nginx/nginx.conf file.

rg305 · December 3, 2018, 1:24am

Was this intentional?:

mario26 · December 3, 2018, 1:32am

My config Nginx:

user  nginx;
worker_processes  1;
# error_log  /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {

    # Signature du serveur Web
    server_tokens off;
    # Autorisé si la “page appellante” qui possède la même origine (même domaine).
    add_header X-Frame-Options SAMEORIGIN;

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] - [Country: $geoip_country_name, City: $geoip_city] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    # access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    # tcp_nopush     on;
    keepalive_timeout  65;
    gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

About my Vhost “default” is an example of name here, i use separate files in this form: site1.conf site2.conf site3.conf…

mario26 · December 3, 2018, 1:55am

This is a typping error here, sorry...