This question already has an answer here:
wildcard certificate does not work for sub-domain
(1 answer)
Closed 3 years ago.
I've set up a development server where I need to test a large number of LAMP sites. Their domain names are in a format such as:
https://webapp1.test.example.com
https://anotherwebapp.test.example.com
https://anotherclientssite.test.example.com
I want to get SSL certificates for them. Since getting a certificate for each of them is a hassle, I decided to use Let's Encrypt and certbot to get a wildcard SSL certificate for *.example.com...
...but now, after installing the certificates, I still can't get the browsers to trust them; they still display a warning about how the certificate can't be trusted. In Firefox's case, the error is "SSL_ERROR_BAD_CERT_DOMAIN", and it says that "This certificate is not valid for webapp1.test.example.com. The certificate is valid only for the following domains: *.example.com, example.com".
The command I used to generate the certificate was:
certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.example.com' -d example.com
How can I generate a wildcard certificate that is trusted by default by all browsers?
Yes, but wildcards don't quite work like that. *.example.com will match foo.example.com and bar.example.com but not foo.bar.example.com.
Because multiple wildcards aren't allowed, you can't work around this by using *.*.example.com. You can, however, add *.test.example.com, along with any other subdomains you're testing, i.e.:
certbot certonly ... -d '*.test.example.com' -d '*.example.com' -d example.com
Related
I have already successfully installed certbot and have a working digital certificate. I was wondering how do I go about adding domain names to the certificate or do I need to recreate the certificate again?
I don't want to mess up the existing certificate. I haven't tried running this code yet I want to verify the process before I continue. I tried searching this and Google and my results were kind of confusing.
sudo certbot –apache -d mydomain.xyz -d mydomain2.xyz -d www.mydomain.xyz
SSL certificates cannot be modified once issued. They can be replaced with new certificates.
If you run the identical or modified certbot command, your existing certificate will not be modified or deleted. The certbot command will create a new certificate and store the certificate under a different name. Certbot stores certificates and additional files under the directory tree /etc/letsencrypt. You can archive/backup those files. Look at the archive and live folders.
Typically, your webserver will use symbolic links to point to the Let's Encrypt folder instead of copying the certificate to an Apache/Nginx folder.
My website keeps getting "NET::ERR_CERT_DATE_INVALID" error.
I have renewed the certificate using:
sudo certbot certonly --webroot -w /var/www/html -d startuplab.io
and have restarted nginx.
It used to work fine before, my other websites work fine as well.
How do I figure out what went wrong?
Edit:
This tool shows me that certificate expired 21 days ago.
Letsencrypt tells me:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/startuplab.io-0001/fullchain.pem. Your cert
will expire on 2019-05-22. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew all of your certificates, run "certbot
renew"
Edit 2:
Aha! My ssl-startuplab.io.conf snippet points to
ssl_certificate /etc/letsencrypt/live/startuplab.io/fullchain.pem;
but certbot has put it into
ssl_certificate /etc/letsencrypt/live/startuplab.io-0001/fullchain.pem;
Does anybody know why this happens? What should I do to fix this and avoid it in the future?
Edit 3:
Just renaming the startuplab.io-0001 folder into startuplab.io fixed the issue. But why did this happen to begin with? How do I make sure it never happens again? I'd appreciate any advice!
For your edit 3, from https://certbot.eff.org/docs/using.html#renewing-certificates emphasis added:
An alternative form that provides for more fine-grained control over the renewal process (while renewing specified certificates one at a time), is certbot certonly with the complete set of subject domains of a specific certificate specified via -d flags. ...
All of the domains covered by the certificate must be specified in this case in order to renew and replace the old certificate rather than obtaining a new one; don’t forget any www. domains! Specifying a subset of the domains creates a new, separate certificate containing only those domains, rather than replacing the original certificate. When run with a set of domains corresponding to an existing certificate, the certonly command attempts to renew that specific certificate.
Your old cert was for startuplab.io AND webacademy.io -- not only the former.
I followed the excellent write up how-do-you-sign-certificate-signing-request-with-your-certification-authority to create my own self-signed cert. I set the SAN for *.pro and *.pro.example.com
If I hit the web02.pro.example.com all works fine.
When I hit web02.pro it doesn't work:
curl --cacert cacert.pem https://web02.pro/version.html
curl: (51) SSL: no alternative certificate subject name matches target host name 'web02.pro'
web02.pro and web02.pro.example.com both resolve to the same machine, and that machine is set up to answer to both names.
The cert I generated shows:
X509v3 Subject Alternative Name:
DNS:*.pro, DNS:*.pro.example.com
Is there anything limit to using a not read TLD for a self-signed cert?
Many clients not only check that the hostname against all names in the certificate, but also only allow wildcards which are not too permissive. This means that wildcards like *.pro.example.com or *.example.com are considered valid while wildcards which only specify the top-level domain like *.pro are considered invalid and will not be included in the validation process.
This reason for this is that below a top-level domain you will usually find lots of domains with different owners. A wildcard certificate for *.pro would thus include domains from different owners which should better not be possible.
I've got approximately 9 web servers running Ubuntu 12.04 with openssl.
all have the same primary domain of whatever.com , Although some are sub.whatever.com and others are sub.sub.whatever.com
Is there a type of SSL Certificate which can be used on all domains / sub domains ?
So I could install it on sub.sub.sub.sub.whatever.com if I wanted to?
Wildcard SSL only works on subdomain.domain.com and you can just add sub.sub.sub.domain.com as SANs to this certificate. Right now I'm using https://www.globalsign.com/ssl/multi-domain-ssl/ its quite expensive but its worth it.
I followed the instructions to the letter here -- https://devcenter.heroku.com/articles/ssl-certificate --, and they were helpful, especially since DNSimple is my registrar of choice. I got everything up and running as far as I know, purchased the certs (via DNSimple and RapidSSL), combined the crt and the CA bundle, and sent them up via the heroku client:
$ heroku ssl
www.website.com has a SSL certificate registered to /serialNumber=…
website.com has a SSL certificate registered to /serialNumber=…
But when I go to my apps (I even restarted them) they are still using the certs for *.herokuapp.com. Is there anything I've missed? Why would things be coming up as *.herokuapp.com?
From the top, here are the pieces provided to me from the related parties.
From DNSimple (on the cert details page) : Private Key
From DNSimple (on the cert details page) : Certificate
From RapidSSL's CA Download page (linked from DNSimple) : CA bundle "pem"
From email sent by RapidSSL / Geotrust : Web Server CERTIFICATE
From email sent by RapidSSL / Geotrust : INTERMEDIATE CA
I imagine that the "private key" is what I need in the second part of the heroku ssl:add dance: heroku ssl:add site.pem private.key
But it seems that I'm doing something wrong when I'm putting together the "pem" file for the first file I'm sending with heroku ssl:add. Of the pieces above - what needs to be combined in order for this to work?
I know this question is old, but I just hit the same problem and found the answer, at least in my case.
I had my DNS pointing to my-app.herokapp.com but the SSL endpoint is different. You can find the SSL endpoint like this:
$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ ---------------------------- -------------------- -------
osaka-5565.herokussl.com www.example.com, example.com 2014-05-18 09:32 UTC True
Your endpoint will be different from that. Once you change your CNAME and/or ALIAS records to point to the SSL endpoint, you'll get your own certificate instead of the herokuapp wildcard.
Make sure you're not viewing the naked domain name, https://yourwebsite.com is not supported with SSL on Heroku, whereas https://www.yourwebsite.com is.
If this ends up being the issue you'll have to make sure the naked domain name redirects to a subdomain like www.