Wildcard on more the one server

Hi, I successfully set up a wildcard on our staging server

I ran this command:certbot -d *.njom.com --manual --preferred-challenges dns certonly
this was on a linux2 server with apache. The command returned a challenge that I enter as TXT record in our route53 server as TXT record
Tested and it all worked as a charm

Now I wanted the same certificate on our production server
Running same command produce no error but neither any challenge!
Now it stops working and the apache server does not to return the *.njom.com certificate: Certbot sees the *.njom.com certificate and indicates that it is valid
So I delete the TXT records, and certificate and try to reinstall but with the same result
I do then also delete certificate on staging server, thinking I repeat the steps and if I missed anything. Running the command produce no error but neither any challenge so also this certificates is gone now

So why can I not install on my second server?
And why can I not clean and restart?

My web server is Apache/2.4.53
The operating system my web server runs on is Linux 2
I can login to a root shell on my machine Yes
The version of my client is certbot 0.39.0

Regards
Kent

A cert is issued for a domain name. The cert (fullchain and privkey) from your "staging" server can just be copied to your production server since they share the same domain name.

Let's Encrypt remembers validated domain names on your account for 30 days so does not issue a fresh challenge.

You could also setup your production cert with a different account than your staging server. This might be your best option if they share the same domain name. Or, setup your staging server to use a different domain name from production. Without knowing much of how you manage your system it is difficult to give precise advice.

2 Likes

You should expect this.
LE will usually cache authentications for up to 30 days.
Why would it need to reautthenticate your request for the exact same set of names?
It should have provided you with the option to generate a new cert or reissue you the current cert.

1 Like

Thank for the response! With the information you provided it is clear that it can not work. I am now trying to see if the use of different account can solve the problem. But I don't only have wild card domain but I am also hosting other domain as a part of our service, so I need all of them to work so I need to know that changing account don't change any existing certificate or that I can be sure that a restore of them works

Thanks for response! I think a problem here is that it should be a documentation explaining this it could be as simple as a part of the output from certbot when running the command

I'm not sure there is a problem?

If Certbot "sees" the certificate on your production server (not sure how that would be possible), then Apache can just use it, right?

3 Likes