Wildcard subdomain cert on different server

Help
1

Dear Support

I have 2 servers set up.

Server 1, hosts flowwup.com, which has a certificate and the HTTPS works perfectly fine

Server 2, hosts the wildcard subdomain flowwup.com (e.g. admin.flowwup.com or anything.flowwup.com) but I can't get https working on it.

My domain is: flowwup.com

I ran this command on my subdomain server (server 2): sudo certbot
With the aim of activating HTTPS for the wildcard subdomain

It produced this output:
sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: flowwup.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for flowwup.com
Waiting for verification...
Challenge failed for domain flowwup.com
http-01 challenge for flowwup.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

If I run certbot certificates, I get the following:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: flowwup.com
Domains: *.flowwup.com
Expiry Date: 2021-11-05 10:14:47+00:00 (VALID: 74 days)
Certificate Path: /etc/letsencrypt/live/flowwup.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/flowwup.com/privkey.pem

As far as I can tell, the certificates looks like they've been installed correctly but I'm struggling to get https working on the subdomain server.

Thanks

2

The above command with the selected plugins could never result in the wildcard certificate shown at the bottom of your post, as wildcard certificates require the dns-01 challenge, which is not provided by the "apache" authenticator.

How did you manage to get the wildcard certificate, if not with the certbot commands above?

1 Like
3

Originally, I ran the following command on server 2 (wildcard domain server):

certbot certonly --manual --preferred-challenges=dns --email --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.flowwup.com

After running it, I followed the instructions to pass the domain challenge (adding the TXT DNS record).

4

You used certonly, so certbot didn't install the issued certificate into the webserver.

You might try installing the wildcard certificate using a command such as:

certbot install -i apache

Note that the --manual plugin cannot be used to renew automatically without using --manual-auth-hook, so you'd need to renew the certificate manually every 60-90 days.

1 Like
5

Thank you Osiris, I've got https now working with the wildcard subdomains using the command you provided :grinning:

I've tested the install by running: sudo certbot renew --dry-run
And got the following response:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/flowwup.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (flowwup.com) from /etc/letsencrypt/renewal/flowwup.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/flowwup.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/flowwup.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

I'm guessing this would have something to do with what you mentioned about the --manual plugin.

What would be the best way to resolve this?

6

Firstly, you'd need a way to update your DNS zone through some kind of API, so certbot can add and remove the required TXT records automatically.

I see you're using DigitalOcean. So instead of using the manual plugin, you could also try using the certbot-dns-digitalocean plugin. You can read more about DNS plugins at the certbot manual here:

https://certbot.eff.org/docs/using.html#dns-plugins

And the certbot-dns-digitalocean plugin manual can be found here:

https://certbot-dns-digitalocean.readthedocs.io/en/stable/

7

Thank you for the link, I'll work through this tomorrow and see if I am able to get it working so that it will renew automatically.

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.