Wildcard certificate not working on subdomains

I followed this tutorial to the tee to obtain a wildcard certificate. After that, the primary domain has the padlock symbol but all my subdomains say "Not Secure". I had certs for the subdomains earlier which expired. I deleted them all before getting the wildcard cert. I'm on an Ubuntu 18.04 server.

Primary Domain: rajnarayanan.com
Subdomains: weatherapp.rajnarayanan.com, acmeapartments.rajnarayanan.com

Commands issued:

apt-get install letsencrypt

certbot certonly --manual --preferred-challenges=dns --email placeholder@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d rajnarayanan.com -d *.rajnarayanan.com

certbot certificates command output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: rajnarayanan.com
Domains: rajnarayanan.com *.rajnarayanan.com
Expiry Date: 2022-09-10 23:45:36+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/rajnarayanan.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/rajnarayanan.com/privkey.pem

You chose the manual method for getting a cert which means you must update your server config by yourself. You have not done that. Or, maybe you did but you need to reload Apache after making such changes. Your server response headers say you are using Apache so you should review your VirtualHosts.

Specifically, your server for the apex domain (rajnarayanan.com) sends a current cert but it only has the www subdomain in the cert. You can see which cert your server sends with a tool like this SSL Decoder

The VirtualHosts for the other two subdomains send an cert that has expired.


Why anyone would follow a guide that requires manually renewing wildcard certs is beyond me.

You should look for an ACME client that can work with your DSP [in a fully automated method].

rajnarayanan.com nameserver = ns-cloud-a1.googledomains.com
rajnarayanan.com nameserver = ns-cloud-a2.googledomains.com
rajnarayanan.com nameserver = ns-cloud-a3.googledomains.com
rajnarayanan.com nameserver = ns-cloud-a4.googledomains.com

I just manually updated the SSL file and key file paths in the subdomain VirtualHosts files and now it's working. Thanks.