Wildcard certificate does not work


#25

Let’s try again:

nginx -T 2>/dev/null | grep -E "(server_name|ssl_certificate)"

and

certbot certificates

and please don’t redact the domains (you can delete your post later).


#26

nginx -T 2>/dev/null | grep -E “(server_name|ssl_certificate)” :

server_name *.exemple.com exemple.com;
server_name *.exemple.com exemple.com;
ssl_certificate /etc/letsencrypt/live/exemple.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/exemple.com/privkey.pem;

certbot certificates :

  Certificate Name: exemple.com
    Domains: *.exemple.com exemple.com
    Expiry Date: 2019-03-02 22:22:36+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/exemple.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/exemple.com/privkey.pem

Can i generate a Wildcard SSL key for multiple domain names:

certbot certonly --agree-tos --email contact@exemple.org --server https://acme-v02.api.letsencrypt.org/directory --manual -d "*.exemple.com" -d exemple.com -d "*.exemple.org" -d exemple.org -d "*.exemple.info" -d exemple.info

Is this something possible?


#27

I found an error in my configuration: http://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names

This will imply that i am using a unique certificate…


#28

If that is the true output and you have actually restarted nginx, then you should not be getting a SSL_ERROR_BAD_CERT_DOMAIN for subdomains of exemple.com.

Yes, you can add up to 100 domains per certificate using -d.

You are making really hard to help you by redacting your domains.


#29

ok very good news!
I would like to check with you the syntax:

certbot certonly --agree-tos --email contact@exemple.org --server https://acme-v02.api.letsencrypt.org/directory --manual -d "*.exemple.com" -d exemple.com -d "*.exemple.org" -d exemple.org -d "*.exemple.info" -d exemple.info

Is the syntax correct? No error?
I think a bad interpretation in my Nginx configuration, i think that using a single certificate, will probably solve the problem …

I’il let you know and thank you!


#30

Yes, it looks good, but it will require manually fulfilling the challenges.


#31

Hello !

Always the same problem !! Grrrrrr :confused:

So, i changed the Nginx configuration as described in the documentation for a Wildcard certificate: http://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names

I generate a new certificate for two domain name whith WildCard:

certbot certonly --agree-tos --email contact@exemple.org --server https://acme-v02.api.letsencrypt.org/directory --manual -d "*.exemple.com" -d exemple.com -d "*.exemple.org" -d exemple.org

I restart the server and adjust my DNS configuration like this:

Zone 1:
* 600 IN CNAME exemple.com.
@ 600 IN A 8.123.65.412

Zone 1:
* 600 IN CNAME exemple.org.
@ 600 IN A 8.123.65.412

Here is the return of the openssl command:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:d6:7f:29:36:45:80:5c:62:f2:21:8f:94:a4:a2:71:54:41
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Dec  3 17:14:01 2018 GMT
            Not After : Mar  3 17:14:01 2019 GMT
        Subject: CN = *.exemple.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b8:47:14:35:e3:b7:52:d1:8e:63:12:5e:f1:4f:
                    22:4d:65:25:72:55:ef:4e:b7:b4:e2:da:4c:ff:54:
                    1c:57:62:25:b7:d9:39:0d:97:08:63:14:86:de:81:
                    84:96:90:1c:ce:bb:3c:df:07:e2:c0:e3:f4:67:cd:
                    af:73:ec:25:61:76:6b:e3:70:2e:7c:30:d9:d8:74:
                    58:b4:94:7f:c3:3e:c1:03:97:fd:aa:71:d9:c3:0b:
                    71:44:ba:61:0b:1f:77:66:5f:0b:67:f9:6d:e5:fc:
                    62:5a:b6:b3:71:08:12:d9:e9:eb:26:30:29:ed:15:
                    8e:0a:13:0a:8f:68:7a:47:e5:0f:4f:46:45:e2:ae:
                    43:1a:54:69:b8:13:98:8f:fa:f5:aa:9c:d1:92:85:
                    6b:3f:d4:30:dd:c3:14:8d:0a:44:2f:3f:88:4d:7c:
                    66:6a:82:d5:e4:81:4b:ac:b4:c8:c7:b6:9b:6b:fb:
                    03:2c:6f:a5:fc:84:ee:0c:45:96:14:37:4c:e2:77:
                    98:d0:5c:ed:33:48:61:9c:03:7a:b0:09:a4:c5:a9:
                    bc:21:08:e6:ab:ba:d8:47:f4:b3:ff:b9:6a:22:a0:
                    83:a0:e2:a5:d0:84:51:a3:41:75:cf:4f:71:01:dc:
                    45:c1:5a:3f:24:07:98:b2:2d:7c:70:f6:a8:ea:26:
                    fb:f7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                8A:BC:16:36:D3:FE:A6:BB:26:D3:E0:D3:BC:CF:89:75:C6:D4:F5:46
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:*.exemple.com, DNS:*.exemple.org
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
                                C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
                    Timestamp : Dec  3 18:14:01.526 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:B4:DB:F6:53:DD:8A:64:7A:41:34:A6:
                                18:8C:0A:C4:F5:E8:B5:8A:28:2C:E3:E7:77:10:97:1D:
                                50:28:3E:C0:22:02:21:00:E0:50:66:97:77:24:22:E2:
                                30:B6:43:3D:AA:71:4D:D6:0C:5B:1A:B3:DD:9D:0A:30:
                                90:90:29:B5:9C:C9:D3:68
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                                A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                    Timestamp : Dec  3 18:14:01.536 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:81:25:91:9A:5E:C7:0F:9D:D7:93:DF:
                                24:D4:F4:63:FB:BB:1A:69:DF:C2:C8:AD:EA:DC:76:80:
                                9B:B7:E8:D9:23:02:21:00:EB:B5:69:2E:6B:66:31:E8:
                                12:62:24:5F:D5:6D:64:13:12:98:7E:91:E6:A3:E0:B6:
                                E9:6D:7E:F3:5D:5B:F2:E6
    Signature Algorithm: sha256WithRSAEncryption
         0f:8d:74:38:2c:34:10:c3:d3:4c:d1:a3:3d:1d:0c:b7:b7:68:
         75:4f:ca:d8:ca:c4:fc:87:2a:90:52:99:88:0e:f8:8d:97:fb:
         0a:37:96:5d:00:1d:00:11:b9:eb:eb:4c:21:fb:87:9a:2b:0c:
         b0:19:fc:84:14:e4:c6:23:7a:2d:1a:38:1a:f5:47:59:33:fd:
         f5:d2:f7:70:3b:8f:bd:be:11:a5:20:ba:16:10:15:73:7b:a3:
         00:f7:ad:9a:94:64:b2:e4:27:61:d2:da:22:46:a9:48:0b:81:
         ec:1a:af:2a:71:53:4a:14:5e:6c:cb:fe:1a:7e:e9:5e:0e:28:
         11:b0:c8:09:9e:3b:11:8a:1e:a6:95:31:53:b8:00:06:91:f7:
         13:f2:57:ff:7c:ec:1f:6f:5d:03:75:f9:93:2b:59:8a:fc:69:
         55:79:c3:a4:0c:1e:d7:35:b7:f2:70:d6:29:59:65:92:3c:8a:
         ec:e4:e1:28:47:bb:2b:f2:20:0e:2c:c2:9c:48:c3:4c:e5:68:
         d4:69:6e:03:fe:5d:3c:15:00:7a:3e:55:80:0f:29:59:a1:e4:
         f1:c7:a5:f6:ad:1e:9a:ba:35:cf:ef:3e:25:7e:15:db:61:dc:
         d0:04:45:78:58:53:55:6d:ee:f6:bb:d4:65:32:58:bf:16:24:
         46:e9:bb:60

There is only one generic certificate in the server, I check everywhere, only I still have this error:

SSL_ERROR_BAD_CERT_DOMAIN
The certificate is only valid for the following names: chat.exemple.org, exemple.org, mail.exemple.org, pubsub.exemple.org, www.exemple.org

I do not understand that it detects a certificate that no longer exists and has been replaced by a Wildcard …

Can you help me?

Would not that come from letsencrypt?

Thank you


#32

It could come from my DNS zone?

I have two domain names with two separate DNS zones at gandi.net, how should i configure them for letsencrypt for a single generic certificate?


#33

Hi!

I managed, to be honest, i use docker with Nginx, the problem was here, the configuration was bad, now it works!

Thank you for your help !

Ps: I request the deletion of the publication…