Multiple subdomains with lets encrypt - ssl-certificate

I have an attractive message indicating me that it is unfortunately not possible to generate a certificate for multiple subdomains:
Wildcard domains are not supported: *.mynewsiteweb.com
On the other hand it would be possible to generate it one by one for each subdomain.
Is there a better solution? Thank you :)
Edit
Now Certbot supports the Wildcard since 0.22.0 version (2018-03-07)
Links
Automatic script: https://certbot.eff.org
Documentation: https://certbot.eff.org/docs
Thanks
Certbot ❤
Jahid
Ozzy Tashtepe
trojan
Jay Riley

Prior to support for wildcards I found it necessary to explicitly list each domain on a certificate in the form
… -d example.com -d www.example.com -d blog.example.com -d www.blog.example.com …
(which due to complexities in the odd mix of redirected domains I'm using worked best with the --webroot authentication).
Thanks to Trojan's explanation and documentation here:
https://certbot.eff.org/docs/install.html?highlight=wildcard
I was able to generate wildcard certs that are live now. Unfortunately there is not a plugin for EasyDNS.com yet, so I had to perform manual validation (Where Trojans example saved the day). With this approach I was able to generate a certificate in the form
… -d *.example.com -d example.com -d *.blog.example.com …
Since (for example's sake) blog.example.com was already covered by the *.example.com wildcard, I only had to add the wildcard for *.blog.example.com. In fact certbot would not allow redundancy (complained if I tried to include both *.example.com and www.example.com).
Currently available plug-ins are listed here:
https://certbot.eff.org/docs/using.html#dns-plugins
As of this writing they include these DNS providers:
certbot-dns-cloudflare
certbot-dns-cloudxns
certbot-dns-digitalocean
certbot-dns-dnsimple
certbot-dns-dnsmadeeasy
certbot-dns-google
certbot-dns-luadns
certbot-dns-nsone
certbot-dns-rfc2136
certbot-dns-route53
Perhaps I'll take a peek over the weekend and see how hard it is to write a plug-in for my own DNS provider.

it is unfortunately not possible to generate a certificate for multiple subdomains
Not true. It is possible to generate a cert for multiple sub-domains. Just include those subdomains in the configuration file by their names:
domains = example.org, www.example.org, sub.example.org, www.sub.example.org
Then run certbot with the configuration file:
certbot-auto -c config.ini
You will have to verify ownership for each domain.
See more about configuration file.

I just went through the process of generating a single Let's Encrypt certificate for multiple subdomains. There were some minor challenges that I encountered and resolved. I posted a short article in the link below explaining the leasons learned I gained when installing Let's Encrypt digital certificates on my Apache web server which provides HTTP and HTTPS access to multiple subdomains.
My most important "lesson learned" is that you need to create a VirtualHost for the HTTP access AND a VirtualHost for each subdomain accessible via HTTPS. IMPORTANT: Each VirtualHost definition must be specified in a single configuration file. The Let's Encrypt certbot will not operate correctly if multiple VirtualHosts are defined within a single configuration file. I defined three (3) VirtualHosts in three (3) different configuration files below. The dummy.conf file serves no functional purpose within Apache (i.e., it will not cause an unnecessary 999 listening port), but it is absolutely necessary for digital certificates to be successfully generated by the Let's Encrypt certbot.
Then you can run the following command to generate the certificate:
certbot certonly -d example.com -d www.example.com
https://www.hueyise.com/index.php/letsencrypt

Wildcard domains are now supported by certbot (from ver. 0.22)
Domain will have to be validated via DNS (you will have to add _acme-challenge.yourdomain.tld TXT record to your DNS entry with random generated value)
Example:
certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d *.example.pl --manual --preferred-challenges dns-01 certonly

Lets Encrypt SSL Wildcard/multiple subdomain support will be available starting from February 27, 2018 officially.
We introduced a public test API endpoint for the ACME v2 protocol and
wildcard support on January 4, 2018. ACME v2 and wildcard support will
be fully available on February 27, 2018
Source: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

Related

Wildcard SSL certificates for multiple subdomain

I have a system with multiple clients. Each client has their own subdomain.
client1.example.com
client2.example.com
...
At the server side, all requests are redirected to *.example.com. Then my business logic reads the subdomain (like client1) and gives response to the client accordingly.
So basically, I do not configure each subdomain on the server. I just add it to my database and my code handles it properly.
I am trying to apply wildcard SSL certificates to all these subdomains. Also, I want all future clients to automatically get https.
But I don't know how to configure this. I have tried using Let's Encrypt, but no luck. The actual domain example.com gets https but not the client domains.
Any help with configuration would be really helpful.
Or, may be, this setup is just not possible. I don't know.
Please help.
P.S. example.com is just a dummy domain I am referring to.
P.P.S. I use apache2 web server on Ubuntu 16.04 x64
Well, it is possible. I now have a certificate in place for *.example.com and it works on all my arbitrary subdomains, viz.,
client1.example.com
client2.example.com
...
I followed these steps:
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x ./certbot-auto
$ sudo ./certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
-d *.example.com
Then using the files created at /etc/letsencrypt/live/example.com/, I updated the values from my control panel (I use Vestacp)
cat /etc/letsencrypt/live/example.com/cert.pem
^ Copy contents into “SSL Certificate” field.
cat /etc/letsencrypt/live/example.com/privkey.pem
^ Copy contents into “SSL Key” field.
cat /etc/letsencrypt/live/example.com/chain.pem
^ Copy contents into “SSL CA / Intermediate” field.
Make changes according to your control panel.
Follow this article for detailed steps and explanation.

Appending extra sub-domain to currently existing Let's Encrypt SSL certificate created by Certbot

I have a domain xyz.com and I have created a Let's Encrypt SSL certificates using Cetbot for xyz.com and www.xyz.com with the following command
sudo certbot --nginx -d xyz.com -d www.xyz.com
Now if I want to add blog.xyz.com, How could I append and not to write all the sub-domains again since say if I have 100 sub-domains it would be right to list all the 100 sub-domains to add a single extra sub-domain.
So the question is:
How could I append to the currently created certificate and not to list all existing sub-domains?
I am using Nginx, Certbot and all hosted on a DigitalOcean droplet.
You can expand an existing Certbot certificate by using the --expand option.
Have a look at the documentation: https://certbot.eff.org/docs/using.html?highlight=expand
Best regards.

Update Let's Encrypt Configuration on Apache

Hi i set up Let's Encrypt within Debian.
Now it works fine when i put https://example.com but it does not work fine
when i put https://www.example.com
i used the following command ./letsencrypt-auto --apache -d example.com
instead of ./letsencrypt-auto --apache -d example.com -d www.example.com
I performed the last command but the it still not working thus what can i do to
have https://www.example.com working ?
Thanks
You have th execute the following command :
./letsencrypt-auto --apache -d example.com -d www.example.com
I just went through the process of generating a single Let's Encrypt certificate for multiple subdomains. There were some minor challenges that I encountered and resolved. I posted a short article in the link below explaining the leasons learned I gained when installing Let's Encrypt digital certificates on my Apache web server which provides HTTP and HTTPS access to multiple subdomains.
My most important "lesson learned" is that you need to create a VirtualHost for the HTTP access AND a VirtualHost for each subdomain accessible via HTTPS. IMPORTANT: Each VirtualHost definition must be specified in a single configuration file. The Let's Encrypt certbot will not operate correctly if multiple VirtualHosts are defined within a single configuration file. I defined three (3) VirtualHosts in three (3) different configuration files below. The dummy.conf file serves no functional purpose within Apache (i.e., it will not cause an unnecessary 999 listening port), but it is absolutely necessary for digital certificates to be successfully generated by the Let's Encrypt certbot.
Then you can run the following command to generate the certificate:
certbot --apache -d example.com -d www.example.com
https://www.hueyise.com/index.php/letsencrypt

Why do I get browser warnings on my new lets encrypt ssl setup?

I recently successfully installed Letsencrypt, and my site seems to work well with https. When i visit it e.g https://example.com, no errors/warnings appear. However when i visit it with https://www.example.com, (including www) in all browser I get some sort of warning, for example, in chrome:
Your connection is not private
Attackers might be trying to steal your information from
www.example.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID
And in opera:
Opera cannot verify the identity of the server "www.example.com", due to a certificate problem. The server could be trying to trick you.
My server runs apache and https works wonderfully when not www. In /etc/letsencrypt/live/www.example.com/ I have:
cert.pem chain.pem fullchain.pem privkey.pem
Would appreciate any help and do ask if you require further detail. Hope this helps others too.
This is saying the cert is not valid for www.example.com.
Could be several reasons for this including:
You didn't specify this when creating the cert and only asked for example.com. Though weird that LetsEncrypt has put it in the www.example.com directory, suggesting you did do this right.
You made a typo in the domain name.
You included the protocol (http/https) in the domain name and/or the port (443). These should not be in the cert request and just the domain name.
You have a separate cert for example.com and www.example.com and have only one configured in Apache. Most sites use the same cert for both and have both versions valid for the domain.
Probably best to view the cert to rule out some of these. This can either be done in the browser by clicking on the green padlock when viewing https://example.com and/or running this command:
openssl x509 -in /etc/letsencrypt/live/www.example.com/cert.pem -text
You can also use the https://www.ssllabs.com/ssltest/ online tool to view your SSL setup (in fact I'd recommend to do this anyway!).
It might be late but the problem is there because you didn't mentioned www.exemple.com in the certbot setup.
to add the domain to your certificate just run this command
sudo certbot --expand -d www.camelges.com
then restart your apache server
if you are on ubuntu service apache2 restart
Reference: https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
From their post here:
Can I get a certificate for multiple domain names (SAN certificates)?
Yes, the same certificate can apply to several different names using
the Subject Alternative Name (SAN) mechanism. The Let's Encrypt client
automatically requests certificates for multiple names when requested
to do so. The resulting certificates will be accepted by browsers for
any of the domain names listed in them.
If your common name is example.com you will need to set a SAN as www.example.com when generating the certificate request.
Adding to the points from BazzaDP, (From my own experience).
5) if you have virtual configuration files where ServerName is same but ServerAlias is different then you will be getting same err, hence you should change ServerName.
You need to generate certificate for both URL's, by example:
sudo certbot --apache -d mydomain.com,www.mydomain.com

Apache: Conditional SSLCertificateFile depending on domain?

I am running a multi-language web store accessible from differents domains, that lead to different languages.
The apache configuration is quite complex and I would like to have one single file shared with all the stores. I had this in place until I had to introduce SSL.
When it comes to apache and SSL certificates I would need to do something like:
SetEnv is_es 0<br>
SetEnvIfNoCase Host .*es is_es 1<br>
SSLCertificateFile /etc/ssl/certs/spanish.server.crt env=is_es<br>
This is aparently not possible, apache tells me:
<i>SSLCertificateFile takes one argument, SSL Server Certificate file (`/path/to/file' - PEM or DER encoded)</i>
I was wondering if there is any workaround. My goal is to avoid having different copies of the same configuration and having to propagate manually any changes I want to make.
It is hosted on a dedicated server, so I am free to do any changes to the setup.
When you are on a https connection, the Host header is inside the SSL encapsulation, so you need the full SSL handshake before you check for an hostname for your virtualhost.
You should go for SSL certificates with SAN (Subject Alternative Names), this will allow that a single certificate for multiple hostnames. (or a wildcard cert)
All the main browsers supports it already:
http://www.digicert.com/subject-alternative-name-compatibility.htm
And you can get one of this certs from the majors CAs:
http://www.digicert.com/subject-alternative-name.htm
http://www.verisign.com/ssl/buy-ssl-certificates/subject-alternative-name-certificates/index.html
http://www.thawte.com/ssl/san-uc-ssl-certificates/index.html