Wildcard deployment

My Domain is:

I ran this command:
certbot-auto certonly --manual --preferred-challenges=dns --email finsites@protonmail.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.finsites.app -d finsites.app

It produces this output:
- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2020-04-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew all of your certificates, run
“certbot-auto renew”
- If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My Webserver is:

Hosting Package	EnCirca cPanel Quickstart
Server Name	whm
cPanel Version	84.0 (build 19)
Apache Version	2.4.41
PHP Version	7.1.33
MySQL Version	5.7.29
Architecture	x86_64
Operating System	linux
Shared IP Address
Local IP Address
Path to Sendmail	/usr/sbin/sendmail
Path to Perl	/usr/bin/perl
Perl Version	5.16.3
Kernel Version	3.10.0-1062.9.1.el7.x86_64

My Hosting Provider is:

I cannot login to the root shell. I use cPanel v84.0

The Version of my client is Certbot 1.1.0

First of all, big thanks to all of you and all that you do!

I was able to create the SSL certificates and get everything validated without any issues. Where I am bumping into issues is with the sub-domains. The cert created above is registered on that domain already but none of the sub-domains I have picked it up for some reason. Is there an additional step required or a step I missed along the way that makes sure this cert is applied to all of the sub-domains as well?

1 Like

What are your subdomains that you want covered?

Your cPanel hosting service already has SSL handled for you with AutoSSL. Any domain you create in your cPanel account (including a wildcard subdomain) should automatically be covered.

The certificate you see when you visit your website right now, is the one from AutoSSL.

When you ran certbot certonly ..., it didn’t perform any certificate installation for you. It just produced the certificate, and leaves it to you to perform the installation (i.e. “cert only”).

So, questions:

  • What are your subdomains that are not covered by SSL?
  • Do you really need a separate Let’s Encrypt certificate, given what AutoSSL is already doing for you?
1 Like

Hi _az,

The AutoSSL feature is nice, however they only provide self-signed certificates.

The sub-domains I had created were login.finsites.app, services.finsites.app, and developer.finsites.app.


I’ve uploaded a screenshot to show what I am seeing. The top level domain has ‘Let’s Encrypt’ as the issuer, where the subdomain still has the self signed . Should I just delete the self-signed one and see if the top-level one would naturally propagate out?

1 Like

AutoSSL should provide certificates signed by either Sectigo or Let’s Encrypt, depending on what your host chose.

The self-signed certificates aren’t part of AutoSSL - cPanel just generates them as placeholders until a trusted certificate becomes available from AutoSSL.

Assuming that Encirca has not disabled AutoSSL, I suspect that the reason that it hasn’t created a Let’s Encrypt certificate for developer.finsites.app is that the domain doesn’t resolve - you haven’t created a DNS record for it. Same story with login. and services..

Once AutoSSL detects that the domains can pass domain validation (i.e. the domain resolves and points to the cPanel server), it should [eventually] automatically create SSL certificates for those other domains.


And in the case that Encirca doesn’t have AutoSSL available - you have to actually go and upload the certificate and private key of the wildcard certificate you generated with Certbot, and install it in the “SSL/TLS Manager” part of cPanel.

Just generating a certificate does not automatically deploy it to your cPanel server. You’ll have to do that by hand or develop some kind of automation.

For that reason, it’s generally preferable to rely on AutoSSL.

1 Like

That makes sense. Thanks for taking the time and for being so informative :slight_smile: Enjoy your weekend!

1 Like

I think that is where I became so confused. I subscribed to the dns service last night, and the SSL panel had a statement indicating that self-signed certs were being used until a valid one was installed so I assumed I had to do that. Then, right as I finished running the command lines locally to create them the ‘Let’s Encrypt’ issue field was populated for the top-level domain. A perfect storm of confusion for me. Thanks again for your time!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.