Wildcard subdomain cert on different server

Dear Support

I have 2 servers set up.

Server 1, hosts flowwup.com, which has a certificate and the HTTPS works perfectly fine

Server 2, hosts the wildcard subdomain flowwup.com (e.g. admin.flowwup.com or anything.flowwup.com) but I can't get https working on it.

My domain is: flowwup.com

I ran this command on my subdomain server (server 2): sudo certbot
With the aim of activating HTTPS for the wildcard subdomain

It produced this output:
sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: flowwup.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for flowwup.com
Waiting for verification...
Challenge failed for domain flowwup.com
http-01 challenge for flowwup.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

If I run certbot certificates, I get the following:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: flowwup.com
Domains: *.flowwup.com
Expiry Date: 2021-11-05 10:14:47+00:00 (VALID: 74 days)
Certificate Path: /etc/letsencrypt/live/flowwup.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/flowwup.com/privkey.pem

As far as I can tell, the certificates looks like they've been installed correctly but I'm struggling to get https working on the subdomain server.

Thanks

The above command with the selected plugins could never result in the wildcard certificate shown at the bottom of your post, as wildcard certificates require the dns-01 challenge, which is not provided by the "apache" authenticator.

How did you manage to get the wildcard certificate, if not with the certbot commands above?

1 Like

Originally, I ran the following command on server 2 (wildcard domain server):

certbot certonly --manual --preferred-challenges=dns --email --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.flowwup.com

After running it, I followed the instructions to pass the domain challenge (adding the TXT DNS record).

You used certonly, so certbot didn't install the issued certificate into the webserver.

You might try installing the wildcard certificate using a command such as:

certbot install -i apache

Note that the --manual plugin cannot be used to renew automatically without using --manual-auth-hook, so you'd need to renew the certificate manually every 60-90 days.

1 Like

Thank you Osiris, I've got https now working with the wildcard subdomains using the command you provided :grinning:

I've tested the install by running: sudo certbot renew --dry-run
And got the following response:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/flowwup.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (flowwup.com) from /etc/letsencrypt/renewal/flowwup.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/flowwup.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/flowwup.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

I'm guessing this would have something to do with what you mentioned about the --manual plugin.

What would be the best way to resolve this?

Firstly, you'd need a way to update your DNS zone through some kind of API, so certbot can add and remove the required TXT records automatically.

I see you're using DigitalOcean. So instead of using the manual plugin, you could also try using the certbot-dns-digitalocean plugin. You can read more about DNS plugins at the certbot manual here:

https://certbot.eff.org/docs/using.html#dns-plugins

And the certbot-dns-digitalocean plugin manual can be found here:

https://certbot-dns-digitalocean.readthedocs.io/en/stable/

Thank you for the link, I'll work through this tomorrow and see if I am able to get it working so that it will renew automatically.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.