[Sun Mar 5 11:22:12 MSK 2023] Unknown parameter : office.vadim.com.ru. Also this wildcard already shows here on the list: crt.sh | vadim.com.ru
Please put quotes around the wildcard hostname. Currently bash is expanding the asterisk from your current working directory.
4 Likes
[Sun Mar 5 11:56:53 MSK 2023] Domains have changed.
[Sun Mar 5 11:56:54 MSK 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Mar 5 11:56:54 MSK 2023] Multi domain='DNS:vadim.com.ru,DNS:*.vadim.com.ru'
[Sun Mar 5 11:56:54 MSK 2023] Getting domain auth token for each domain
[Sun Mar 5 11:56:57 MSK 2023] Getting webroot for domain='vadim.com.ru'
[Sun Mar 5 11:56:57 MSK 2023] Getting webroot for domain='*.vadim.com.ru'
[Sun Mar 5 11:56:57 MSK 2023] vadim.com.ru is already verified, skip dns-01.
[Sun Mar 5 11:56:57 MSK 2023] *.vadim.com.ru is already verified, skip dns-01.
[Sun Mar 5 11:56:57 MSK 2023] Verify finished, start to sign.
[Sun Mar 5 11:56:57 MSK 2023] Lets finalize the order.
[Sun Mar 5 11:56:57 MSK 2023] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/859998607/168293866927'
[Sun Mar 5 11:57:00 MSK 2023] Downloading cert.
[Sun Mar 5 11:57:00 MSK 2023] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03f18f8001bd128052141bfde2a80802155b'
[Sun Mar 5 11:57:01 MSK 2023] Cert success.
Do I create it as the third cert now or instead of some of my previous ones?
As far as understand this one should work for domains and subdomains should't it?
Correct.
Once you've configured all services using this latest certificate, please remove all the now unused certificates from acme.sh if there are any left, otherwise they'll keep renewing, even when not in use.
5 Likes
I did it with Nextcloud but it still shows in the browser as if using the old one? How come? Or does it take time to kick in?
1 Like
My new cert does not work - I added it as advised to no avail. It shows as valid until May but does not work on Nextcloud for some reason
Please show the error/failure.
And, also, how did you add it to nextcloud?
2 Likes
I added the key cert and full cert(consisting o3 different certs) via TrueNAS GUI as was advised in the previous thread
Where did you configure the self-signed Traefik cert?
That's what is being shown for requests to that domain name
3 Likes
Traefik is not-self signed - it is configured to use this cert too in the config file of TrueNAS GUI as well. I guess I added something wrong because certs seem to be valid. I'll check it again
This is the certificate I presently see being served, and it is a self-signed certificate.
$ openssl s_client -showcerts -servername vadim.com.ru -connect vadim.com.ru:443 < /dev/null
CONNECTED(00000003)
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify return:1
---
Certificate chain
0 s:CN = TRAEFIK DEFAULT CERT
i:CN = TRAEFIK DEFAULT CERT
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 9 05:29:36 2023 GMT; NotAfter: Mar 8 05:29:36 2024 GMT
-----BEGIN CERTIFICATE-----
MIIDXjCCAkagAwIBAgIRAMBlvKDm3EquNbRatLVc2XkwDQYJKoZIhvcNAQELBQAw
HzEdMBsGA1UEAxMUVFJBRUZJSyBERUZBVUxUIENFUlQwHhcNMjMwMzA5MDUyOTM2
WhcNMjQwMzA4MDUyOTM2WjAfMR0wGwYDVQQDExRUUkFFRklLIERFRkFVTFQgQ0VS
VDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMB6/0LS8KyLP8Oqi0Pf
HBmHZlC3eHoshLwkDzRcBnq/3ryCYlrDleWqpbZoCNM14bOtOF2JBi36+sULGOas
NjsYkatrlUF9F8tj/DLES7l2bOHRitoJtnsrGJlh7YnRAmYOiYT6n+xf70e7M0ki
U/COP+wb4aaaV3llnhjuo1fRwLQ1GBlaRtnytGPPXyYRa6uRnRwvBafon5SMW2JN
J2OeKUfjVFBFY9g1MTg+dLDwH78q9KuavZ3H8R8/s4w5GfNsDjuLWkQKHKiDCojE
YVbZ89bW5lkemrJHldIOmGzIzjxtXg7QKJ7EE03394FQuUcSOyBmlS237+KQONDi
aZkCAwEAAaOBlDCBkTAOBgNVHQ8BAf8EBAMCA7gwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDAYDVR0TAQH/BAIwADBcBgNVHREEVTBTglE2N2Y1OWNjNDRiMDRhMTQ0Y2Yw
NzQ5ZjQ1N2U3MmQ3ZS45NjJiYzJkMTkwMDkzNGNiYzgxNDUxYzQ5Y2Q3NGVkYi50
cmFlZmlrLmRlZmF1bHQwDQYJKoZIhvcNAQELBQADggEBAH/AV9+dBYWFhwAVZqdj
SacXp+s00pgH91vGiTz3GywFIDikG1Zgi2B5rRhT24vaaE9k/QBZMp3Bp68Ow/c3
r8Fa6M0QUNwQWQNb0Rpk9TvjsZxTUATbKgHob7DX8UGEmulk8wiqrTwKMpYmT5+J
hbh1BbAQwRSi8luRaKr+bH9tKj5UZ2sGaoRx1nPfwiLT9cN8IKe8vnFhwRBo6FJU
UrOjKbpUSYYgskEl8h6UNqGRjPRtpJY8fmrzBYII1HK48/ORJva/kUf/O177BnXc
2vzKeiG/JbdqCcgVSu0W9g0aEMvaZIlV0INljP4uHGB0Nl+Hn04o9QEJ3hjxRTkj
Vb8=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = TRAEFIK DEFAULT CERT
issuer=CN = TRAEFIK DEFAULT CERT
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 1600 bytes and written 793 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: DEBF55E04B1CDB74A71551337D21F39B8FA6A19FCCCD045F383B055FFCE3DC20
Session-ID-ctx:
Resumption PSK: 3724EA853339F419305CBEBDF74EA2E84C907FBAE5CAAE4705780CB401AF8359
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - 4e 4d 12 ec 62 18 ac ca-2a a9 79 43 9f 33 de 0a NM..b...*.yC.3..
0010 - 91 86 03 3c 17 e9 e6 6a-1d 00 c5 2b a4 3c cb ef ...<...j...+.<..
0020 - d1 ae b2 be 51 b7 26 2a-e0 14 97 08 fb 16 4b dd ....Q.&*......K.
0030 - 4d 32 04 f2 91 0d 10 a0-33 11 d1 c8 b9 49 43 68 M2......3....ICh
0040 - c0 d2 68 ee 3e 88 73 39-65 21 98 1b ae 3e d9 ae ..h.>.s9e!...>..
0050 - 63 7c f9 73 65 95 19 e2-8f c1 1a 14 34 48 b7 11 c|.se.......4H..
0060 - 38 98 7b 5a 64 5e 1d 4a-32 6e 70 ce e1 63 6b f7 8.{Zd^.J2np..ck.
0070 - d6 .
Start Time: 1678381444
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
DONE
1 Like
I removed this one - copied all the certs again and now everything works - I guess it was copy/paste error. Thanks everybody for all your help!
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.