Wildcard sub domain not working

Help
#1

My domain is: digiassetx.com
My web server is (include version): nodejs+express
The operating system my web server runs on is (include version): ubuntu 18.04 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

My problem is that www.digiassetx.com works but digiassetx.com says invalid cert.

Domain on cert is: *.digiassetx.com
i did try modifying the cert by running: sudo certbot certonly --cert-name digiassetx.com -d *.digiassetx.com,digiassetx.com
but this gives me the error:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

pretty sure last time i renewed certbot I had to put some values in my DNS records but it is not giving that option this time

2 Likes
#2

If you're not aware already, you can get Certbot to automatically issue and renew wildcard certificates using the Route53 integration.

You just need to install an extra Certbot DNS plugin:

sudo apt install python3-certbot-dns-route53

and then follow the instructions on https://certbot-dns-route53.readthedocs.io/en/latest/.

This will deal with creating all the TXT records and such for you.

3 Likes
#3

Welcome to the Let's Encrypt Community, Matthew :slightly_smiling_face:

I fully concur with _az, but I can help you revise your manual command though:

sudo certbot certonly --cert-name digiassetx.com --manual --preferred-challenges dns -d "digiassetx.com,*.digiassetx.com" --keep-until-expiring

As for digiassetx.com, it is currently serving a certificate that only includes *.digiassetx.com, which won't work. Oddly, there is a newer certificate that is not currently being served. Restart the webserver?

Wrong certificate being served:

Screenshot_20201010-203300_Samsung Internet
Screenshot_20201010-203300_Samsung Internet1439×2724 427 KB

Complete certificate history:

2 Likes
#4

thank you so much for the help you where both correct. The plugin fix the renewal problem but I also had to restart the server to get it to serve the new certificate. :slight_smile:

3 Likes
#5

Sounds like the perfect place for the --deploy-hook to do its' magic.

2 Likes