Problems creating certificates with subdomains

Question

Problems creating certificates with subdomains

hfuentes87 opened this issue 3 years ago · comments

Hello, I am trying to generate a certificate for an instant messaging system in Ubuntu Server 20.04, so I need the certificate to contain subdomains.

I added the subdomains in the init-letsencrypt.sh file:

domains=(simidea.com.ar chat.simidea.com.ar irc.simidea.com.ar mail.simidea.com.ar munim.simidea.com.ar proxy.simidea.com.ar transport.simidea.com.ar upload.simidea.com.ar webchat.simidea.com.ar webmail.simidea.com.ar www.simidea.com.ar)

And in the app.conf file, in the lines:

server {
    listen 80;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;
    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    location / {
        proxy_pass  http://simidea.com.ar,http://chat.simidea.com.ar, http://irc.simidea.com.ar, http://mail.simidea.com.ar, http://munim.simidea.com.ar, http://proxy.simidea.com.ar, http://transport.simidea.com.ar, http://upload.simidea.com.ar, http://webchat.simidea.com.ar, http://webmail.simidea.com.ar, http://www.simidea.com.ar;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

When I run the init-letsencrypt.sh script I get the following error on each of the subdomains:

### Requesting Let's Encrypt certificate for simidea.com.ar ...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for simidea.com.ar and 10 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: chat.simidea.com.ar
  Type:   connection
  Detail: Fetching http://chat.simidea.com.ar/.well-known/acme-challenge/okLh0IXNPKKyRBxN2ALGkU9htihXkUCDs_qYVrIDiVI:     Timeout during connect (likely firewall problem)`

If I remove the subdomains the certificate is generated but only for the main domain. Any idea what is causing the problem? Thank you

Bashiru Bukari · Answer 1 · Sat Oct 09 2021 20:10:30 GMT+0800 (China Standard Time)

i think am also facing the same issue, with main domains its working fine but for the subdomains it isnt working

JRib · Answer 2 · Fri Oct 29 2021 17:53:58 GMT+0800 (China Standard Time)

Hi, i have the same problem, have you found any solution?

Kvant · Answer 3 · Fri Nov 19 2021 04:50:40 GMT+0800 (China Standard Time)

Same issue

Sergei Pikhovkin · Answer 4 · Tue Nov 30 2021 01:28:46 GMT+0800 (China Standard Time)

chown -R www-data:www-data "$data_path/conf/live" and rerun init-letsencrypt.sh

Kevin · Answer 5 · Tue Mar 15 2022 15:07:17 GMT+0800 (China Standard Time)

@pikhovkin What is this comment talking about? There is no directory like that here.

Sergei Pikhovkin · Answer 6 · Tue Mar 15 2022 17:23:05 GMT+0800 (China Standard Time)

@kevin192291 My comment suggests that this non-obvious issue might be related to permissions. Just try to set permissions to your configs

Fabio Beoni · Answer 7 · Tue Jul 05 2022 20:44:02 GMT+0800 (China Standard Time)

Hello, I am trying to generate a certificate for an instant messaging system in Ubuntu Server 20.04, so I need the certificate to contain subdomains.

I added the subdomains in the init-letsencrypt.sh file:

domains=(simidea.com.ar chat.simidea.com.ar irc.simidea.com.ar mail.simidea.com.ar munim.simidea.com.ar proxy.simidea.com.ar transport.simidea.com.ar upload.simidea.com.ar webchat.simidea.com.ar webmail.simidea.com.ar www.simidea.com.ar)

And in the app.conf file, in the lines:

server {
    listen 80;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;
    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    location / {
        proxy_pass  http://simidea.com.ar,http://chat.simidea.com.ar, http://irc.simidea.com.ar, http://mail.simidea.com.ar, http://munim.simidea.com.ar, http://proxy.simidea.com.ar, http://transport.simidea.com.ar, http://upload.simidea.com.ar, http://webchat.simidea.com.ar, http://webmail.simidea.com.ar, http://www.simidea.com.ar;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

When I run the init-letsencrypt.sh script I get the following error on each of the subdomains:

### Requesting Let's Encrypt certificate for simidea.com.ar ...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for simidea.com.ar and 10 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: chat.simidea.com.ar
  Type:   connection
  Detail: Fetching http://chat.simidea.com.ar/.well-known/acme-challenge/okLh0IXNPKKyRBxN2ALGkU9htihXkUCDs_qYVrIDiVI:     Timeout during connect (likely firewall problem)`

If I remove the subdomains the certificate is generated but only for the main domain. Any idea what is causing the problem? Thank you

Did you find any solution? thanks.

Mohammad Al-Ahdal · Answer 8 · Mon Sep 12 2022 03:14:55 GMT+0800 (China Standard Time)

I'm facing this issue too. It seems to be a potential change in perhaps how nginx does stuff? I'm not sure. I'll update here in a bit. For now though, in theory, reverting the change 94c73db Should (I think?) fix the issue. This will however create multiple certificates instead of one.

Edit: Turns out it works normally but you can't set environment list env variable using

set -o allexport
source .env
set +o allexport

Second Edit: @hfuentes87, I noticed you still have example.org in your app.conf file under the second server block. it should be the first domain's name.