Wildcard subdomains not working

roguitar88 · November 16, 2022, 6:49pm

Hi, folks. I tried to install and enable wildcard subdomains via Certbot. It was successful. I also created a TXT-type record in DNS zone (in this case, GoDaddy), but when I try to access anything like https://*.zuump.net, I simply can't and the page that shows is:

It's like the subdomains do not exist. I also created that TXT-type about one hour ago or so. Does this have something to do with the notice "
Service status: Service Disruption: acme-staging-v02.api.letsencrypt.org (Staging)
" I see today on the top? If not, what's wrong? My Nginx config is ok, too and it is running perfectly.

Also, I tried to follow all the steps from this link:
Let’s Encrypt generating Wildcard SSL certificate using Certbot | by Marcin Cuber | Medium

Is there something missing?

Thanks

My domain is: zuump.net

I ran this command:

sudo certbot certonly --manual   --preferred-challenges=dns   --email fernandomassolini@gmail.com   --server https://acme-v02.api.letsencrypt.org/directory   --agree-tos   --manual-public-ip-logging-ok   -d "*.zuump.net"

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for zuump.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.zuump.net with the following value:

IBRI5KCQoY31SbF3ngdtSdr_CBtMjIbnwNW9MM3x4Ts

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04 LTS

My hosting provider, if applicable, is: Oracle Cloud Infrastructure

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Osiris · November 16, 2022, 6:56pm

Yes. I'm afraid you're lacking some basic IT knowledge. Having a wildcard certificate is only useful to secure a hostname with a random most-left label (i.e.: a wildcard hostname). It does not actually make a wildcard hostname: that part is fixed in the DNS. And of course another part would be the webserver, but you claim that's configured properly.

TL;DR: you shouldn't forget DNS.

Bruce5051 · November 16, 2022, 7:06pm

Here is a list of issued certificates crt.sh | zuump.net, the latest being 2022-11-16.
However the latest *.zuump.net was 2022-06-07.

Using https://unboundtest.com/ does show the _acme-challenge.
DNS entry that looks correct for a DNS-01 Challenge.
https://unboundtest.com/m/TXT/_acme-challenge.zuump.net/GNV47RTO
;; ANSWER SECTION:
_acme-challenge.zuump.net. 0 IN TXT "IBRI5KCQoY31SbF3ngdtSdr_CBtMjIbnwNW9MM3x4Ts"

However using https://letsdebug.net/ with DNS-01 chosen in Let's Debug results there are WARNINGs

Using SSL Server Test (Powered by Qualys SSL Labs)
SSL Server Test: zuump.net (Powered by Qualys SSL Labs)
see this certificate being severed, not a Wildcard certificate.

Correct, it is like you did not create the subdomains.
However creating a Certificate does not create subdomains.

Osiris · November 16, 2022, 7:15pm

The issue is not the cert here: a wildcard cert has indeed been issued. But that's just a tiny part of the entire thing, as I've stated above. Nginx is even correctly configured: it serves the wildcard cert if you add -servername blaat.zuump.net to the options when connecting using openssl s_client. It's just DNS is not properly configured.

Bruce5051 · November 16, 2022, 7:16pm

Yes; that is absolutely very true.

roguitar88 · November 16, 2022, 9:37pm

It makes sense. Look, that's my DNS zone. But I couldn't find any error there:

I can't see any error in the DNS settings there. Moreover, there's other subdomains set there such as "lacoprofissional.zuump.net", "paradura.zuump.net", etc. All of them are type A records.

And this is my Nginx configuration settings for the wildcard subdomain thing:

server {
    # Listen on ipv4
    listen 80;
    listen [::]:80;

    server_name *.zuump.net;

    # Redirect all insecure http:// requests to https://
    return 301 https://$host$request_uri;
}

server {
    #listen 80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name *.zuump.net;

    root /var/www/html/zuump/public;
    index index.php index.html;

    ##add_header Content-Security-Policy "connect-src 'self' wss: data: gap: https://*.googleapis.com/ https://*.fontawesome.com/ https://*.gstatic.com/ https://*.google-analytics.com/ https://*.youtube.com/ https://*.facebook.net/ https://*.boletobancario.com/ https://*.nr-data.net/ https://yt2html5.com/ 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://*.fontawesome.com/ https://npmcdn.com/ https://*.jsdelivr.net/; media-src *; img-src 'self' data: content: https://*.youtube.com/ https://*.google-analytics.com/ https://*.google.com/ https://*.google.com.br/ https://*.doubleclick.net/ https://*.facebook.com/ https://*.privacysandbox.googleadservices.com/ https://*.googletagmanager.com/ https://*.tcdn.com.br/ https://gestaoclick.com.br/ https://*.bcb.gov.br/ https://*.ytimg.com/; script-src 'unsafe-inline' https: 'nonce-dJ50t6IDR8' 'strict-dynamic'; object-src 'none'; base-uri 'self'";

    ##include /etc/nginx/iprestriction;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/zuump.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;

    ssl_certificate /etc/letsencrypt/live/zuump.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/zuump.net/privkey.pem;
}

The configuration for the other subdomains also follow that standard.

Bruce5051 · November 16, 2022, 9:45pm

Just using lacoprofissional.zuump.net as the example,
your Authoritative DNS Name Server cannot offer an answer.

Let's Encrypt Challenges use the domain name's Authoritative DNS Name Server

$ nslookup
> lacoprofissional.zuump.net
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   lacoprofissional.zuump.net
Address: 152.67.32.77
> set q=ns
> lacoprofissional.zuump.net
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
*** Can't find lacoprofissional.zuump.net: No answer

Authoritative answers can be found from:
zuump.net
        origin = ns07.domaincontrol.com
        mail addr = dns.jomax.net
        serial = 2022111609
        refresh = 28800
        retry = 7200
        expire = 604800
        minimum = 600
> server ns07.domaincontrol.com
Default server: ns07.domaincontrol.com
Address: 97.74.103.4#53
Default server: ns07.domaincontrol.com
Address: 2603:5:2170::4#53
> lacoprofissional.zuump.net
Server:         ns07.domaincontrol.com
Address:        97.74.103.4#53

*** Can't find lacoprofissional.zuump.net: No answer
>

catharsis · November 16, 2022, 9:46pm

Your screenshot shows you have DNS records for 5 subdomains and they all appear to be working. If you want ALL POSSIBLE subdomains to resolve, you need to create a DNS entry for *

Osiris · November 16, 2022, 9:59pm

I don't see a wildcard entry.

And those seem to be working.

What exactly are you trying to achieve here?

roguitar88 · November 16, 2022, 10:08pm

Lol, my bad, guys! Osiris is right. I forgot to add the record for the wildcard thing. Thank you, guys!

Osiris · November 16, 2022, 10:28pm

system · December 16, 2022, 10:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.