My domain is: calculator.360-biz.com
My web server is (include version): Apache HTTPD 2.4.66-8
The operating system my web server runs on is (include version): RHEL 7.6
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I ran this command: sudo certbot certonly --manual --preferred-challenges dns-01 -d calculator.360-biz.com
and successfully obtained a cert, but once set up in my Apache server, Chrome reports an incorrect subjectAlternativeName, which is true. The certificate was issued for the root domain (360-biz.com), and not the subdomain.
I’m managing the DNS with GoDaddy and I suppose the error might be here. In order for the challenge to work, I had to shorten the TXT values to “_acme-challenge.calculator” and <certbot_value> instead of the full domain, otherwise it was failing.
This wouldn’t be painful except that the http-01 challenge is also not working. Any ideas?
I manually created the entry in /etc/httpd/conf/httpd-le-ssl.conf as follows:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName calculator.360-biz.com
DocumentRoot /var/www/html/calculator
DirectoryIndex index.php
CustomLog logs/calc-access_log common
ErrorLog logs/calc-error_log
<Directory "/var/www/html/calculator">
AllowOverride All
Require all granted
Options -Indexes
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/calculator.360-biz.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/calculator.360-biz.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/calculator.360-biz.com/chain.pem
</VirtualHost>
</IfModule>
So it would appear that I am indeed using the correct certificate. Is there something that could be caching this bad cert? I restarted httpd just in case.
Ah. I spotted my error. Certbot always generates the virtual host as
<VirtualHost 172.24.16.158:443>
whereas I was using the wildcard *. Is this always the case?
My site is fine now from Chrome. Hopefully I’ll be able to renew with the tls-sni-01 challenge later, otherwise I’ll be stuck renewing manually. Can I test the renewal mechanism even when not near expiration?
Certbot doesn't always use one or the other - it uses whichever it thinks you're already using.
I remember there used to be a bug where it could guess wrong if you had a mix of *'s and IP addresses, and I don't know if that's been fixed yet. Do you have something like that in your Apache config?
You won't. The TLS-SNI-01 challenge is being removed soon (it's been deprecated for some time because of a security issue).