I have been trying to achieve wildcard SSL for my app where I need HTTPS for all the dynamic subdomain and I have been trying almost all the tuts found on the internet and almost all way is either giving redirect loop or not working. I am trying this for almost 2 days now and have totally no idea how to go forward. I tried it using certbot doing acme-challenge, DNS Cloudflare plugins but nothing worked for me. Please guide me.
Let's Encrypt supports wildcard SSL certificate only via DNS-01 challenge.
Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.
If you use dehydrated, I can recommend cfhookbash, which is a hook for dehydrated.
./dehydrated -c -d *.example.com -t dns-01 -k '${PATH_WHERE_YOU_CLONED_CFHOOKBASH}/cfhookbash/hook.sh'
Related
Im using hostgator as my host.They do not provide free ssl certificate.So im using cloudflare free ssl certificate for my site.SSL certificate working everywhere except Cpanel.
I tried manually adding ssl through cpanel option.But not really working!Is there any way i can add it there?
Or it will be really good if my cpnael url cpanel.site.com won't just show up to that address.
If you want to use the CloudFlare SSL certificate then there is no need to add that SSL certificate to yoru cpanel nor to your site. Read the cloudflare documentation in order to see how to create and use Page Rules and their SSL certificate. cPanel has nothing to do with it. CF works just fine with cPanel/WHM and pretty much with any other related hosting panel. Your site can be http only in cPnel and then you do the HTTPS redirection from Clouflare using their Flexible SSL and page rules
cpanel.yourdomain.com ssl is related to server side. If your host allow autossl with Let's Encrypt (for example) then it will install ssl for all your necessary subdomains like webmail, cpanel, mail, www etc. If you are installing ssl manually, then you cannot install it for cpanel subdomain. However if you want to use cpanel securely and have enabled ssl with yourdomain.com the you can use it:
https://yourdomain.com:2083
I have an attractive message indicating me that it is unfortunately not possible to generate a certificate for multiple subdomains:
Wildcard domains are not supported: *.mynewsiteweb.com
On the other hand it would be possible to generate it one by one for each subdomain.
Is there a better solution? Thank you :)
Edit
Now Certbot supports the Wildcard since 0.22.0 version (2018-03-07)
Links
Automatic script: https://certbot.eff.org
Documentation: https://certbot.eff.org/docs
Thanks
Certbot ❤
Jahid
Ozzy Tashtepe
trojan
Jay Riley
Prior to support for wildcards I found it necessary to explicitly list each domain on a certificate in the form
… -d example.com -d www.example.com -d blog.example.com -d www.blog.example.com …
(which due to complexities in the odd mix of redirected domains I'm using worked best with the --webroot authentication).
Thanks to Trojan's explanation and documentation here:
https://certbot.eff.org/docs/install.html?highlight=wildcard
I was able to generate wildcard certs that are live now. Unfortunately there is not a plugin for EasyDNS.com yet, so I had to perform manual validation (Where Trojans example saved the day). With this approach I was able to generate a certificate in the form
… -d *.example.com -d example.com -d *.blog.example.com …
Since (for example's sake) blog.example.com was already covered by the *.example.com wildcard, I only had to add the wildcard for *.blog.example.com. In fact certbot would not allow redundancy (complained if I tried to include both *.example.com and www.example.com).
Currently available plug-ins are listed here:
https://certbot.eff.org/docs/using.html#dns-plugins
As of this writing they include these DNS providers:
certbot-dns-cloudflare
certbot-dns-cloudxns
certbot-dns-digitalocean
certbot-dns-dnsimple
certbot-dns-dnsmadeeasy
certbot-dns-google
certbot-dns-luadns
certbot-dns-nsone
certbot-dns-rfc2136
certbot-dns-route53
Perhaps I'll take a peek over the weekend and see how hard it is to write a plug-in for my own DNS provider.
it is unfortunately not possible to generate a certificate for multiple subdomains
Not true. It is possible to generate a cert for multiple sub-domains. Just include those subdomains in the configuration file by their names:
domains = example.org, www.example.org, sub.example.org, www.sub.example.org
Then run certbot with the configuration file:
certbot-auto -c config.ini
You will have to verify ownership for each domain.
See more about configuration file.
I just went through the process of generating a single Let's Encrypt certificate for multiple subdomains. There were some minor challenges that I encountered and resolved. I posted a short article in the link below explaining the leasons learned I gained when installing Let's Encrypt digital certificates on my Apache web server which provides HTTP and HTTPS access to multiple subdomains.
My most important "lesson learned" is that you need to create a VirtualHost for the HTTP access AND a VirtualHost for each subdomain accessible via HTTPS. IMPORTANT: Each VirtualHost definition must be specified in a single configuration file. The Let's Encrypt certbot will not operate correctly if multiple VirtualHosts are defined within a single configuration file. I defined three (3) VirtualHosts in three (3) different configuration files below. The dummy.conf file serves no functional purpose within Apache (i.e., it will not cause an unnecessary 999 listening port), but it is absolutely necessary for digital certificates to be successfully generated by the Let's Encrypt certbot.
Then you can run the following command to generate the certificate:
certbot certonly -d example.com -d www.example.com
https://www.hueyise.com/index.php/letsencrypt
Wildcard domains are now supported by certbot (from ver. 0.22)
Domain will have to be validated via DNS (you will have to add _acme-challenge.yourdomain.tld TXT record to your DNS entry with random generated value)
Example:
certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d *.example.pl --manual --preferred-challenges dns-01 certonly
Lets Encrypt SSL Wildcard/multiple subdomain support will be available starting from February 27, 2018 officially.
We introduced a public test API endpoint for the ACME v2 protocol and
wildcard support on January 4, 2018. ACME v2 and wildcard support will
be fully available on February 27, 2018
Source: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html
I recently successfully installed Letsencrypt, and my site seems to work well with https. When i visit it e.g https://example.com, no errors/warnings appear. However when i visit it with https://www.example.com, (including www) in all browser I get some sort of warning, for example, in chrome:
Your connection is not private
Attackers might be trying to steal your information from
www.example.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID
And in opera:
Opera cannot verify the identity of the server "www.example.com", due to a certificate problem. The server could be trying to trick you.
My server runs apache and https works wonderfully when not www. In /etc/letsencrypt/live/www.example.com/ I have:
cert.pem chain.pem fullchain.pem privkey.pem
Would appreciate any help and do ask if you require further detail. Hope this helps others too.
This is saying the cert is not valid for www.example.com.
Could be several reasons for this including:
You didn't specify this when creating the cert and only asked for example.com. Though weird that LetsEncrypt has put it in the www.example.com directory, suggesting you did do this right.
You made a typo in the domain name.
You included the protocol (http/https) in the domain name and/or the port (443). These should not be in the cert request and just the domain name.
You have a separate cert for example.com and www.example.com and have only one configured in Apache. Most sites use the same cert for both and have both versions valid for the domain.
Probably best to view the cert to rule out some of these. This can either be done in the browser by clicking on the green padlock when viewing https://example.com and/or running this command:
openssl x509 -in /etc/letsencrypt/live/www.example.com/cert.pem -text
You can also use the https://www.ssllabs.com/ssltest/ online tool to view your SSL setup (in fact I'd recommend to do this anyway!).
It might be late but the problem is there because you didn't mentioned www.exemple.com in the certbot setup.
to add the domain to your certificate just run this command
sudo certbot --expand -d www.camelges.com
then restart your apache server
if you are on ubuntu service apache2 restart
Reference: https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
From their post here:
Can I get a certificate for multiple domain names (SAN certificates)?
Yes, the same certificate can apply to several different names using
the Subject Alternative Name (SAN) mechanism. The Let's Encrypt client
automatically requests certificates for multiple names when requested
to do so. The resulting certificates will be accepted by browsers for
any of the domain names listed in them.
If your common name is example.com you will need to set a SAN as www.example.com when generating the certificate request.
Adding to the points from BazzaDP, (From my own experience).
5) if you have virtual configuration files where ServerName is same but ServerAlias is different then you will be getting same err, hence you should change ServerName.
You need to generate certificate for both URL's, by example:
sudo certbot --apache -d mydomain.com,www.mydomain.com
Recently I discover letsencrypt which is awesome project, and it basically allows you to get ssl certificate for free.
I manage to setup my server and domain with their certificate, everything work great and my site showed the https in green which was great.
Then I connected this domain to cloudflare, which is another great solution, for many web problems.
Once my name servers were changed to cloudflare name servers the https stopped working.
:(
I am not really sure what is the root of that issue, but I manage to fixed it with a little bit of luck, so decided to write here the problem and the solution who worked for me in case other will encounter this issue in the future.
On cloudflare
https://www.cloudflare.com/a/crypto/yourdomain
default settings for ssl is full, once I changed it to
strict https start working again like charm.
2 days after I had the same issue, I changed it back to full from strict and then it worked again so I am confused and not sure if my answer here is good.
you need to use certbot when you're already using cloudflare.
check this link
So before you run the certbot command try this first export LC_ALL="C"
Then if you're on apache change the command to this
./certbot-auto certonly --webroot --webroot-path /var/www/html/ --renew-by-default --email email#host.tld --text --agree-tos -d example.tld -d www.example.tld
/var/www/html/ = where your webroot path for the domain is located.
I hope this helps..
I've faced the same issue that CloudFlare said there is a 526 error.
I could solve it by adding
SSLCertificateChainFile "/etc/letsencrypt/live/DOMAIN/chain.pem"
to the apache hosts config, since Apache < 2.4.8 needs the chain (see http://letsencrypt.readthedocs.org/en/latest/using.html)
I am currently running nginx and have an ssl certification that is only on my domain and no sub domains. I do however have some sub-domains I like to use on the non-ssl so I want to keep my wildcard subdomains.
I was wondering if there was a way to make all ssl subdomains die and not resolve to anything. I would make them redirect but because of my ssl certification, the scary error message pops up before the server redirect them. I would rather have the page come up as nothing.
THanks
Because of how SSL works, you will always have a "scary error message" if someone comes to https://sub.domain.com/ and your SSL certificate doesn't list sub.domain.com as one of its canonical names.
The only ways around this are:
old good "Dedicated IP+Dedicated certificate" for every subdomain you host in SSL
Wildcard certificate
Web server with SNI support in SSL and per subdomain certificates
A certificate with SAN propogated with all your subdomains
Which one to choose depends on your budget and how many browser/OS combinations you have to support.
I hope it answers your question, feel free to clarify it if not.