Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problems creating certificates with subdomains #118

Open
hfuentes87 opened this issue Sep 27, 2021 · 8 comments
Open

Problems creating certificates with subdomains #118

hfuentes87 opened this issue Sep 27, 2021 · 8 comments

Comments

@hfuentes87
Copy link

hfuentes87 commented Sep 27, 2021

Hello, I am trying to generate a certificate for an instant messaging system in Ubuntu Server 20.04, so I need the certificate to contain subdomains.

I added the subdomains in the init-letsencrypt.sh file:

domains=(simidea.com.ar chat.simidea.com.ar irc.simidea.com.ar mail.simidea.com.ar munim.simidea.com.ar proxy.simidea.com.ar transport.simidea.com.ar upload.simidea.com.ar webchat.simidea.com.ar webmail.simidea.com.ar www.simidea.com.ar)

And in the app.conf file, in the lines:

server {
    listen 80;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;
    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    location / {
        proxy_pass  http://simidea.com.ar,http://chat.simidea.com.ar, http://irc.simidea.com.ar, http://mail.simidea.com.ar, http://munim.simidea.com.ar, http://proxy.simidea.com.ar, http://transport.simidea.com.ar, http://upload.simidea.com.ar, http://webchat.simidea.com.ar, http://webmail.simidea.com.ar, http://www.simidea.com.ar;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

When I run the init-letsencrypt.sh script I get the following error on each of the subdomains:

### Requesting Let's Encrypt certificate for simidea.com.ar ...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for simidea.com.ar and 10 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: chat.simidea.com.ar
  Type:   connection
  Detail: Fetching http://chat.simidea.com.ar/.well-known/acme-challenge/okLh0IXNPKKyRBxN2ALGkU9htihXkUCDs_qYVrIDiVI:     Timeout during connect (likely firewall problem)`

If I remove the subdomains the certificate is generated but only for the main domain. Any idea what is causing the problem? Thank you

@bashiru98
Copy link

i think am also facing the same issue, with main domains its working fine but for the subdomains it isnt working

@JR1b
Copy link

JR1b commented Oct 29, 2021

Hi, i have the same problem, have you found any solution?

@DmitryKvant
Copy link

Same issue

@pikhovkin
Copy link

pikhovkin commented Nov 29, 2021

chown -R www-data:www-data "$data_path/conf/live" and rerun init-letsencrypt.sh

@kevin192291
Copy link

@pikhovkin What is this comment talking about? There is no directory like that here.

@pikhovkin
Copy link

@kevin192291 My comment suggests that this non-obvious issue might be related to permissions. Just try to set permissions to your configs

@fabiobeoni
Copy link

Hello, I am trying to generate a certificate for an instant messaging system in Ubuntu Server 20.04, so I need the certificate to contain subdomains.

I added the subdomains in the init-letsencrypt.sh file:

domains=(simidea.com.ar chat.simidea.com.ar irc.simidea.com.ar mail.simidea.com.ar munim.simidea.com.ar proxy.simidea.com.ar transport.simidea.com.ar upload.simidea.com.ar webchat.simidea.com.ar webmail.simidea.com.ar www.simidea.com.ar)

And in the app.conf file, in the lines:

server {
    listen 80;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;
    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    location / {
        proxy_pass  http://simidea.com.ar,http://chat.simidea.com.ar, http://irc.simidea.com.ar, http://mail.simidea.com.ar, http://munim.simidea.com.ar, http://proxy.simidea.com.ar, http://transport.simidea.com.ar, http://upload.simidea.com.ar, http://webchat.simidea.com.ar, http://webmail.simidea.com.ar, http://www.simidea.com.ar;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

When I run the init-letsencrypt.sh script I get the following error on each of the subdomains:

### Requesting Let's Encrypt certificate for simidea.com.ar ...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for simidea.com.ar and 10 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: chat.simidea.com.ar
  Type:   connection
  Detail: Fetching http://chat.simidea.com.ar/.well-known/acme-challenge/okLh0IXNPKKyRBxN2ALGkU9htihXkUCDs_qYVrIDiVI:     Timeout during connect (likely firewall problem)`

If I remove the subdomains the certificate is generated but only for the main domain. Any idea what is causing the problem? Thank you

Did you find any solution? thanks.

@hackrmomo
Copy link

hackrmomo commented Sep 11, 2022

I'm facing this issue too. It seems to be a potential change in perhaps how nginx does stuff? I'm not sure. I'll update here in a bit. For now though, in theory, reverting the change 94c73db Should (I think?) fix the issue. This will however create multiple certificates instead of one.

Edit: Turns out it works normally but you can't set environment list env variable using

set -o allexport
source .env
set +o allexport

Second Edit: @hfuentes87, I noticed you still have example.org in your app.conf file under the second server block. it should be the first domain's name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants