Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
the domain name is split across two servers. This one is for The 37.187.112.11 address is to be a
multi host instance for WordPress. This instance is that we are admins (so, unlike the other option which a friend used), we are in charge of security / updates / plugins etc. so others can use existing domain names and the server will accept them.
Can you let me know how to issue certs for both mail.phillw.org and WP server so we can move them to htpps? I know you guys frown upon having sudo access to sites, but as both are test areas I am willing to have a chat via irc.freenode.net on #phillw-social as it does make things a lot faster for support
I ran this command: nothing run as yet
It produced this output: nothing run as yet
My web server is (include version): WordPress: nginx version: nginx/1.10.3 (Ubuntu)
mail server is Server version: Apache/2.4.6 (CentOS)
Server built: Jun 27 2018 13:48:59
The operating system my web server runs on is (include version):
Wordpress Linux wordpress 4.4.0-130-generic #156-Ubuntu SMP Thu Jun 14 08:53:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
mail server CentOS Linux 7 (Core)
Linux phillw.org 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
My hosting provider, if applicable, is: OVH
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no, pure ssh
What domain name or names will point at the WordPress server? What software is running on the mail.phillw.org site, and are you also the administrator of that site?
I did state which OS and Web system is running on both machines, as well as that I am the guy who is sysadmin for both.
To remind: ssh mail.phillw.org
Last login: Thu Jul 5 19:37:38 2018 from host-92-0-120-65.as43234.net
CentOS Linux 7 (Core)
Linux phillw.org 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Sorry, I’m also wondering about the server applications, as in… are you planning to use the mail.phillw.org for just HTTPS or do you also have SMTP and IMAP servers there that will need to use the certificate? Or just SMTP and IMAP servers and no HTTPS at all?
For the WordPress machine, it’s just the phillw.org domain name itself and no other domain names, like names used by other users for hosted sites there?
The idea is for smtp, imap, pop etc. on the mail server. For the WP instance, we (I) have chosen the multi site option where we are in charge of any security updates. This has always been my preferred method and I’ve seen what happened to a good friend when his instance that was “user upgrade security” failed and caused issues (i.e. the ipV4 being blacklisted).
Hi, I’m involved in helping phillw set up certs for the webserver. I would like to know if the cert needs to be re-created for each new subdomain, such as example.phillw.org, or if there is a shortcut to add extra subdomains as needed?
If you know all of the subdomains in advance and they all exist in DNS, you can create the certificate with all of the subdomains by specifying them all with -d options.
the mail server will be mail.phillw,org and as it runs CentOS v7 will need you to intervien again.
For the teams that will come over to the WordPress account, I cannot state. As I did mention, the instance of WP we are running means that we are in charge of all updates / security etc. In this case, what is the best option for adding new domains to SSL as they are added to the server area.
If the mail server doesn’t have anything using port 80 at all, you could use certbot --standalone to get a certificate for it and there won’t be any subsequent web server configuration, only mail daemons configuration.
Is there a way to assign a wildcard to account for future subdomains not yet established? Or is it smarter to re-run the certbot program to recreate the certificate each time that new subdomains are decided upon?
You can get a wildcard if you can perform DNS challenges (creating DNS TXT records as requested by the CA). Generally you should do this by having a DNS provider API so that the Let's Encrypt client can request the DNS provider to make the requested changes. You can use a CNAME record with the _acme-challenge entry so that you can delegate the ability to satisfy the challenges to another domain which can be hosted on a completely separate DNS provider, in case your regular DNS provider doesn't offer an API (or in case you don't want to have the credentials to make DNS zone changes for your regular DNS zone stored on the machine).
