Wildcard with certbot on AWS


#1

Hello,
I’m trying to create an HTTPS Wildcard certificate for all my subdomains * .booda.me

My server is hosted on Amazon web services on an “Amazon Linux AMI”.

When I run certbot with this command:
letsencrypt certonly --manual --preferred-challenges dns --register -d booda.me -d * .booda.me

I’m asked to create a acme-challenge “TXT” DNS that contains a string.
The certificates are validated with the confirmation message for “booda.me” and “* .booda.me”.

I also find my certificates by making “certbot certificates”:
Capture

When I validate the first DNS “TXT” I wait a few minutes for the propagation. Then I update the 2nd DNS “TXT” for the wildcard by modifying the first DNS, because AWS does not allow me to add a second “_acme-challenge.booda.me”.
But I do not think that could be a problem …

By cons when I go https://booda.me it works but none of my subdomains detect the certificate Let’s encrypt.

I do not understand where it can come from. I made several attempts by choosing “(E) xpand” to update the certificates but it does not work.

Where can it come from, I’m starting to despair …


#2

I have this error when I try to access a subdomain: https://formation.booda.me/logon.php

my httpd-le-sll.conf configuration file looks like this:

<VirtualHost *: 443>
DocumentRoot “/ var / www / html”
ServerName “booda.me
ServerAlias ​​"www.booda.me"
SSLCertificateFile /etc/letsencrypt/live/booda.me-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/booda.me-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</ VirtualHost>


#3

that looks like self-signedish (but it actually isn’t) cert of ip-172-31-36-254.eu-west-3.compute.internal
it looks like what AWS use for internal things
that’s wrong cert
it looks like installation problem for me. what kind of webserver are you using? install correct cert with path in your screenshot and reload the webserver


#4

Hi @hugo121

really? Checking your domain you have now one certificate with two domain names ( https://check-your-website.server-daten.de/?q=booda.me ):

CN=booda.me
	18.02.2019
	19.05.2019
expires in 90 days	*.booda.me, booda.me - 2 entries

And you have two different TXT entries:

TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
booda.me ok 1 0
www.booda.me ok 1 0
_acme-challenge.booda.me 2pgxU00jEXoirpPVQFh4mZhhJMbKs728UJH_HvyWjlQ looks good 1 0
_acme-challenge.booda.me tHvuWtNS655hk3qeWyrF-KNgwVEq8hbAN7GhNZ25I8g looks good 1 0

So it looks that you have solved that problem. These are correct entries.

non-www and www are working.

formation.booda.me isn’t visible. But you need a DNS entry and an explicit vHost or a vHost with a wildcard, that uses the same certificate.


#5

Thank you for your answer, because I saw that I could put two DNS TXT lines on a single _acme-challenge in AWS. So I now have only 1 certificate for booda.me and the wildcard.

DNS side I already said this:

Do you think it’s ok?

I do not see what to add or modify to make my vhost valid, currently I have this:
Do I have to create a second one especially for the wildcard but in what form?

I have this now:
<VirtualHost *: 443>
DocumentRoot “/ var / www / html”
ServerName “booda.me
ServerAlias ​​"www.booda.me"
SSLCertificateFile /etc/letsencrypt/live/booda.me/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/booda.me/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</ VirtualHost>


#7

Thanks a lot you two !!!
It finally worked by modifying the VHOST quite simply by adding a “* .booda.me” in ServerAlias!

I am happy end! Thank you for your help :slight_smile:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "/var/www/html"
    ServerName "booda.me"
    ServerAlias "*.booda.me"
	SSLCertificateFile /etc/letsencrypt/live/booda.me/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/booda.me/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

#8

Your certificate is already ok, two domain names. So your DNS TXT entries are ok too :wink:

And yes, that’s a wildcard DNS entry.

If it is possible that all subdomains use the same vHost - yes.

Rechecked your subdomain via https://check-your-website.server-daten.de/?q=formation.booda.me

You can ignore the www - error. But you should add a redirect

port 80 / http -> https

in your port-80 - vHost, so the login is secure.

So all users use https, not http.


#9

EDIT –
I put this:
> RewriteEngine on

RewriteCond% {HTTP_HOST} ^ (. +) \. booda \ .me $
RewriteRule ^ (. *) $ Https: //%1.booda.me$1 [R = 302, L]

It seems to work for the moment!


Actually that’s what I was seeing …
I guess the safest way is to configure automatic http> h redirection in httpd.conf files (not a .htaccess).
I am trying to document myself I do not know the exact command to do it properly.


#10

Also, consider using the Route53 plugin for Certbot. It will automate the creation and removal of the DNS records for your zone in Route53 provided you have the correct IAM policies setup.

https://certbot-dns-route53.readthedocs.io/en/stable/


#11

I’m not certain you have a (perfectly) correct config…
Please show the latest output of:
certbot certificates


closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.