Let’s try again:
nginx -T 2>/dev/null | grep -E "(server_name|ssl_certificate)"
and
certbot certificates
and please don’t redact the domains (you can delete your post later).
nginx -T 2>/dev/null | grep -E "(server_name|ssl_certificate)" :
server_name *.exemple.com exemple.com;
server_name *.exemple.com exemple.com;
ssl_certificate /etc/letsencrypt/live/exemple.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/exemple.com/privkey.pem;
certbot certificates :
Certificate Name: exemple.com
Domains: *.exemple.com exemple.com
Expiry Date: 2019-03-02 22:22:36+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/exemple.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/exemple.com/privkey.pem
Can i generate a Wildcard SSL key for multiple domain names:
certbot certonly --agree-tos --email contact@exemple.org --server https://acme-v02.api.letsencrypt.org/directory --manual -d "*.exemple.com" -d exemple.com -d "*.exemple.org" -d exemple.org -d "*.exemple.info" -d exemple.info
Is this something possible?
I found an error in my configuration: http://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names
This will imply that i am using a unique certificate…
If that is the true output and you have actually restarted nginx, then you should not be getting a SSL_ERROR_BAD_CERT_DOMAIN for subdomains of exemple.com.
Yes, you can add up to 100 domains per certificate using -d.
You are making really hard to help you by redacting your domains.
ok very good news!
I would like to check with you the syntax:
certbot certonly --agree-tos --email contact@exemple.org --server https://acme-v02.api.letsencrypt.org/directory --manual -d "*.exemple.com" -d exemple.com -d "*.exemple.org" -d exemple.org -d "*.exemple.info" -d exemple.info
Is the syntax correct? No error?
I think a bad interpretation in my Nginx configuration, i think that using a single certificate, will probably solve the problem …
I’il let you know and thank you!
Yes, it looks good, but it will require manually fulfilling the challenges.
Hello !
Always the same problem !! Grrrrrr 
So, i changed the Nginx configuration as described in the documentation for a Wildcard certificate: http://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names
I generate a new certificate for two domain name whith WildCard:
certbot certonly --agree-tos --email contact@exemple.org --server https://acme-v02.api.letsencrypt.org/directory --manual -d "*.exemple.com" -d exemple.com -d "*.exemple.org" -d exemple.org
I restart the server and adjust my DNS configuration like this:
Zone 1:
* 600 IN CNAME exemple.com.
@ 600 IN A 8.123.65.412
Zone 1:
* 600 IN CNAME exemple.org.
@ 600 IN A 8.123.65.412
Here is the return of the openssl command:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:d6:7f:29:36:45:80:5c:62:f2:21:8f:94:a4:a2:71:54:41
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Dec 3 17:14:01 2018 GMT
Not After : Mar 3 17:14:01 2019 GMT
Subject: CN = *.exemple.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b8:47:14:35:e3:b7:52:d1:8e:63:12:5e:f1:4f:
22:4d:65:25:72:55:ef:4e:b7:b4:e2:da:4c:ff:54:
1c:57:62:25:b7:d9:39:0d:97:08:63:14:86:de:81:
84:96:90:1c:ce:bb:3c:df:07:e2:c0:e3:f4:67:cd:
af:73:ec:25:61:76:6b:e3:70:2e:7c:30:d9:d8:74:
58:b4:94:7f:c3:3e:c1:03:97:fd:aa:71:d9:c3:0b:
71:44:ba:61:0b:1f:77:66:5f:0b:67:f9:6d:e5:fc:
62:5a:b6:b3:71:08:12:d9:e9:eb:26:30:29:ed:15:
8e:0a:13:0a:8f:68:7a:47:e5:0f:4f:46:45:e2:ae:
43:1a:54:69:b8:13:98:8f:fa:f5:aa:9c:d1:92:85:
6b:3f:d4:30:dd:c3:14:8d:0a:44:2f:3f:88:4d:7c:
66:6a:82:d5:e4:81:4b:ac:b4:c8:c7:b6:9b:6b:fb:
03:2c:6f:a5:fc:84:ee:0c:45:96:14:37:4c:e2:77:
98:d0:5c:ed:33:48:61:9c:03:7a:b0:09:a4:c5:a9:
bc:21:08:e6:ab:ba:d8:47:f4:b3:ff:b9:6a:22:a0:
83:a0:e2:a5:d0:84:51:a3:41:75:cf:4f:71:01:dc:
45:c1:5a:3f:24:07:98:b2:2d:7c:70:f6:a8:ea:26:
fb:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
8A:BC:16:36:D3:FE:A6:BB:26:D3:E0:D3:BC:CF:89:75:C6:D4:F5:46
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:*.exemple.com, DNS:*.exemple.org
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
Timestamp : Dec 3 18:14:01.526 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:B4:DB:F6:53:DD:8A:64:7A:41:34:A6:
18:8C:0A:C4:F5:E8:B5:8A:28:2C:E3:E7:77:10:97:1D:
50:28:3E:C0:22:02:21:00:E0:50:66:97:77:24:22:E2:
30:B6:43:3D:AA:71:4D:D6:0C:5B:1A:B3:DD:9D:0A:30:
90:90:29:B5:9C:C9:D3:68
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
Timestamp : Dec 3 18:14:01.536 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:81:25:91:9A:5E:C7:0F:9D:D7:93:DF:
24:D4:F4:63:FB:BB:1A:69:DF:C2:C8:AD:EA:DC:76:80:
9B:B7:E8:D9:23:02:21:00:EB:B5:69:2E:6B:66:31:E8:
12:62:24:5F:D5:6D:64:13:12:98:7E:91:E6:A3:E0:B6:
E9:6D:7E:F3:5D:5B:F2:E6
Signature Algorithm: sha256WithRSAEncryption
0f:8d:74:38:2c:34:10:c3:d3:4c:d1:a3:3d:1d:0c:b7:b7:68:
75:4f:ca:d8:ca:c4:fc:87:2a:90:52:99:88:0e:f8:8d:97:fb:
0a:37:96:5d:00:1d:00:11:b9:eb:eb:4c:21:fb:87:9a:2b:0c:
b0:19:fc:84:14:e4:c6:23:7a:2d:1a:38:1a:f5:47:59:33:fd:
f5:d2:f7:70:3b:8f:bd:be:11:a5:20:ba:16:10:15:73:7b:a3:
00:f7:ad:9a:94:64:b2:e4:27:61:d2:da:22:46:a9:48:0b:81:
ec:1a:af:2a:71:53:4a:14:5e:6c:cb:fe:1a:7e:e9:5e:0e:28:
11:b0:c8:09:9e:3b:11:8a:1e:a6:95:31:53:b8:00:06:91:f7:
13:f2:57:ff:7c:ec:1f:6f:5d:03:75:f9:93:2b:59:8a:fc:69:
55:79:c3:a4:0c:1e:d7:35:b7:f2:70:d6:29:59:65:92:3c:8a:
ec:e4:e1:28:47:bb:2b:f2:20:0e:2c:c2:9c:48:c3:4c:e5:68:
d4:69:6e:03:fe:5d:3c:15:00:7a:3e:55:80:0f:29:59:a1:e4:
f1:c7:a5:f6:ad:1e:9a:ba:35:cf:ef:3e:25:7e:15:db:61:dc:
d0:04:45:78:58:53:55:6d:ee:f6:bb:d4:65:32:58:bf:16:24:
46:e9:bb:60
There is only one generic certificate in the server, I check everywhere, only I still have this error:
SSL_ERROR_BAD_CERT_DOMAIN
The certificate is only valid for the following names: chat.exemple.org, exemple.org, mail.exemple.org, pubsub.exemple.org, www.exemple.org
I do not understand that it detects a certificate that no longer exists and has been replaced by a Wildcard …
Can you help me?
Would not that come from letsencrypt?
Thank you
It could come from my DNS zone?
I have two domain names with two separate DNS zones at gandi.net, how should i configure them for letsencrypt for a single generic certificate?
Hi!
I managed, to be honest, i use docker with Nginx, the problem was here, the configuration was bad, now it works!
Thank you for your help !
Ps: I request the deletion of the publication…
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.