Wildcard subdomains not working

Hi, folks. I tried to install and enable wildcard subdomains via Certbot. It was successful. I also created a TXT-type record in DNS zone (in this case, GoDaddy), but when I try to access anything like https://*.zuump.net, I simply can't and the page that shows is:

It's like the subdomains do not exist. I also created that TXT-type about one hour ago or so. Does this have something to do with the notice "
Service status: Service Disruption: acme-staging-v02.api.letsencrypt.org (Staging)
" I see today on the top? If not, what's wrong? My Nginx config is ok, too and it is running perfectly.

Also, I tried to follow all the steps from this link:
Let’s Encrypt generating Wildcard SSL certificate using Certbot | by Marcin Cuber | Medium

Is there something missing?

Thanks


My domain is: zuump.net

I ran this command:

sudo certbot certonly --manual   --preferred-challenges=dns   --email fernandomassolini@gmail.com   --server https://acme-v02.api.letsencrypt.org/directory   --agree-tos   --manual-public-ip-logging-ok   -d "*.zuump.net"

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for zuump.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.zuump.net with the following value:

IBRI5KCQoY31SbF3ngdtSdr_CBtMjIbnwNW9MM3x4Ts

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04 LTS

My hosting provider, if applicable, is: Oracle Cloud Infrastructure

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

1 Like

Yes. I'm afraid you're lacking some basic IT knowledge. Having a wildcard certificate is only useful to secure a hostname with a random most-left label (i.e.: a wildcard hostname). It does not actually make a wildcard hostname: that part is fixed in the DNS. And of course another part would be the webserver, but you claim that's configured properly.

TL;DR: you shouldn't forget DNS.

3 Likes

Here is a list of issued certificates crt.sh | zuump.net, the latest being 2022-11-16.
However the latest *.zuump.net was 2022-06-07.

Using https://unboundtest.com/ does show the _acme-challenge.
DNS entry that looks correct for a DNS-01 Challenge.
https://unboundtest.com/m/TXT/_acme-challenge.zuump.net/GNV47RTO
;; ANSWER SECTION:
_acme-challenge.zuump.net. 0 IN TXT "IBRI5KCQoY31SbF3ngdtSdr_CBtMjIbnwNW9MM3x4Ts"

However using https://letsdebug.net/ with DNS-01 chosen in Let's Debug results there are WARNINGs

Using SSL Server Test (Powered by Qualys SSL Labs)
SSL Server Test: zuump.net (Powered by Qualys SSL Labs)
see this certificate being severed, not a Wildcard certificate.

Correct, it is like you did not create the subdomains.
However creating a Certificate does not create subdomains.

1 Like

The issue is not the cert here: a wildcard cert has indeed been issued. But that's just a tiny part of the entire thing, as I've stated above. Nginx is even correctly configured: it serves the wildcard cert if you add -servername blaat.zuump.net to the options when connecting using openssl s_client. It's just DNS is not properly configured.

4 Likes

Yes; that is absolutely very true.

1 Like

It makes sense. Look, that's my DNS zone. But I couldn't find any error there:

I can't see any error in the DNS settings there. Moreover, there's other subdomains set there such as "lacoprofissional.zuump.net", "paradura.zuump.net", etc. All of them are type A records.

And this is my Nginx configuration settings for the wildcard subdomain thing:

server {
    # Listen on ipv4
    listen 80;
    listen [::]:80;

    server_name *.zuump.net;

    # Redirect all insecure http:// requests to https://
    return 301 https://$host$request_uri;
}

server {
    #listen 80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name *.zuump.net;

    root /var/www/html/zuump/public;
    index index.php index.html;

    ##add_header Content-Security-Policy "connect-src 'self' wss: data: gap: https://*.googleapis.com/ https://*.fontawesome.com/ https://*.gstatic.com/ https://*.google-analytics.com/ https://*.youtube.com/ https://*.facebook.net/ https://*.boletobancario.com/ https://*.nr-data.net/ https://yt2html5.com/ 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://*.fontawesome.com/ https://npmcdn.com/ https://*.jsdelivr.net/; media-src *; img-src 'self' data: content: https://*.youtube.com/ https://*.google-analytics.com/ https://*.google.com/ https://*.google.com.br/ https://*.doubleclick.net/ https://*.facebook.com/ https://*.privacysandbox.googleadservices.com/ https://*.googletagmanager.com/ https://*.tcdn.com.br/ https://gestaoclick.com.br/ https://*.bcb.gov.br/ https://*.ytimg.com/; script-src 'unsafe-inline' https: 'nonce-dJ50t6IDR8' 'strict-dynamic'; object-src 'none'; base-uri 'self'";

    ##include /etc/nginx/iprestriction;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/zuump.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;

    ssl_certificate /etc/letsencrypt/live/zuump.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/zuump.net/privkey.pem;
}

The configuration for the other subdomains also follow that standard.

Just using lacoprofissional.zuump.net as the example,
your Authoritative DNS Name Server cannot offer an answer.

Let's Encrypt Challenges use the domain name's Authoritative DNS Name Server

$ nslookup
> lacoprofissional.zuump.net
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   lacoprofissional.zuump.net
Address: 152.67.32.77
> set q=ns
> lacoprofissional.zuump.net
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
*** Can't find lacoprofissional.zuump.net: No answer

Authoritative answers can be found from:
zuump.net
        origin = ns07.domaincontrol.com
        mail addr = dns.jomax.net
        serial = 2022111609
        refresh = 28800
        retry = 7200
        expire = 604800
        minimum = 600
> server ns07.domaincontrol.com
Default server: ns07.domaincontrol.com
Address: 97.74.103.4#53
Default server: ns07.domaincontrol.com
Address: 2603:5:2170::4#53
> lacoprofissional.zuump.net
Server:         ns07.domaincontrol.com
Address:        97.74.103.4#53

*** Can't find lacoprofissional.zuump.net: No answer
>
1 Like

Your screenshot shows you have DNS records for 5 subdomains and they all appear to be working. If you want ALL POSSIBLE subdomains to resolve, you need to create a DNS entry for *

4 Likes

I don't see a wildcard entry.

And those seem to be working.

What exactly are you trying to achieve here?

3 Likes

Lol, my bad, guys! Osiris is right. I forgot to add the record for the wildcard thing. Thank you, guys!

1 Like

:wink:

 

3 Likes