Wildcard domains no SSL, root domain SSL works

I am attempting to get ssl working on en.uk-franchises-for-sale.co.uk, fr.uk-franchises-for-sale.co.uk etc, any wildcard domain.
But SSL is only working for the root domain. I have added the text record suggested when running the dns command.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: uk-franchises-for-sale.co.uk

I ran this command:
sudo certbot certonly --manual --preferred-challenges=dns --email matt@mydomain.com (real one used) --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.uk-franchises-for-sale.co.uk -d uk-franchises-for-sale.co.uk

Previously used just the root domain, expanded to include the wildcard domain with dns challenge as opposed to just certbot --apache -d uk-franchises-for-sale.co.uk

It produced this output:

It contains these names: *.uk-franchises-for-sale.co.uk

You requested these names for the new certificate:
*.uk-franchises-for-sale.co.uk, uk-franchises-for-sale.co.uk.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/uk-franchises-for-sale.co.uk/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/uk-franchises-for-sale.co.uk/privkey.pem
   Your cert will expire on 2020-06-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

My web server is (include version):

Latest LTS Ubuntu

The operating system my web server runs on is (include version): Apache2 on Linux Ubuntu

My hosting provider, if applicable, is: Digitalocean VPS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

did you reload apache?

sudo systemctl reload apache2 should do the job.

Thanks, some seem to work, where others dont.
For example, https://ru.uk-franchises-for-sale.co.uk/ doesnt work for me, whereas https://fr.uk-franchises-for-sale.co.uk/ does

I guess this is a dns thing and they may work soon?

No. you just have a certificate for fr.yourdomain.

You should make sure that the virtualhosts for fr, ru, and the others use this cert:

  • /etc/letsencrypt/live/uk-franchises-for-sale.co.uk/fullchain.pem

and this key:

  • /etc/letsencrypt/live/uk-franchises-for-sale.co.uk/privkey.pem

How did you install your certificate?

That is strange, I didn’t type in fr. when adding the certificate, I only used * wildcard. I will check my settings

I used the command in my op , but I used the wildcard not fr. as I intend for all countries to have ssl, ru. fr. au. etc.

How did you install your certificate?

You need to do that again, installing the wildcard everywhere you want it. Certbot can do it for you, with certbot install

ok so just certbot install then run the command again, do I need to purge the packages or just run that command?

That command does not install a certificate. It just gets one, leaving installation up to you.

certbot install and stop there. don’t run certonly.

its asking me which i’d like to install :;
uk-franchises-for-sale.co.uk OR
uk-franchises-for-sale.co.uk-0001

Which should I use?

first one, i guess. if you want to be sure exit and run certbot certificates

I have now run the following along with the associated output. Unfortunatley, it isn’t using ssl yet.

root@:/etc/apache2/sites-available#
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: uk-franchises-for-sale.co.uk-0001
    Domains: uk-franchises-for-sale.co.uk www.uk-franchises-for-sale.co.uk
    Expiry Date: 2020-06-23 12:00:43+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/uk-franchises-for-sale.co.uk-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/uk-franchises-for-sale.co.uk-0001/privkey.pem
  Certificate Name: uk-franchises-for-sale.co.uk
    Domains: *.uk-franchises-for-sale.co.uk uk-franchises-for-sale.co.uk
    Expiry Date: 2020-06-23 12:03:20+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/uk-franchises-for-sale.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/uk-franchises-for-sale.co.uk/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@franchiseekdev:/etc/apache2/sites-available# certbot install
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator None, Installer apache

Which certificate would you like to install?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: uk-franchises-for-sale.co.uk-0001
2: uk-franchises-for-sale.co.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/apache2/sites-enabled/000-default-le-ssl.conf
Addresses: *:443
Names: uk-franchises-for-sale.co.uk, www.uk-franchises-for-sale.co.uk
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.
Enhancement redirect was already set.

SSL still works for fr.uk-franchises-for-sale.co.uk, and the root domain, although ru. , es. etc not work

However the root domain uk-franchises-for-sale.co.uk IS showing *.uk-franchises-for-sale.co.uk on the SSL certificate when clicking padlock in the chrome address bar.

You need to find the file, there in /etc/apache2/sites-enabled where the fr, ru sites are defined.

These sites do not exist in terms of subdomains on the server, the only site hosted is uk-franchises-for-sale.co.uk. Through that, and dns CNAMEs, the subdomains automatically translated through wordpress plugin Gtranslate.io , would this therefore be a case of me contacting them?

no. show me the output of apachectl -S (apache2 maybe)

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  uk-franchises-for-sale.co.uk (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

So, are those subdomains actually hosted by them and not on your server?

That is correct, yes, would this be their problem then and not mine?

I think it is.

Strange service, theirs, using a cname for this.

Many thanks 9peppe. Ill give it 24hours and see what happens.
Thanks for your assistance.

1 Like