Question

LetsEncrypt share serteficate with subdomain?

Hello, i have issue with sharing certeficate with subdomains.

Using Debian 9, Nginx. Installed successfully on my www.domain.com and domain.com.

But, when i try to share this certeficate with subdomain like subdomain.domain.com, it shows ERROR

username@Debian:/etc/nginx/sites-available$ sudo certbot certonly -a webroot --webroot-path=/var/www/domain-d subdomain.domain.com --expand
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for subdomain.domain.com
Using the webroot path /var/www/domain/phppgadmin for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. subdomain.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://subdomain.domain.com/.well-known/acme-challenge/f3HvI4S970igQArAPRJvXlWyvpE_xTkSK9tU3BcG1rA: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: subdomain.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://subdomain.domain.com/.well-known/acme-challenge/f3HvI4S970igQArAPRJvXlWyvpE_xTkSK9tU3BcG1rA:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I have certeficate for www.domain.com + domain.com. But i need to use subdomain for PhPPgAdmin. I have also configured subdomain.domain.com in my 1&1.com account. It show that i own that subdomain. Certeficate renew command for domain.com works fine, when i try add -d domain.com it shows message to reissue cert Y/N. But when it comes subdomain, got ERROR. My DNS settings for subdomain same as domain.com. Also, configured DigitalOcean domain records like that:

Type	Hostname	        Value	                     TTL (seconds)	
CNAME	www.domain.com    is an alias of     domain.com.    	43200 
AAAA	subdomain.domain.com    directs to     2a03:b0c0:2:d0::349e:1001    3600 
CNAME	*.subdomain.domain.com    is an alias of    subdomain.domain.com.    43200 
A	subdomain.domain.com    directs to    178.62.***.**    3600
A	domain.com 	directs to   178.62.***.**    3600 
AAAA	domain.com   directs to   2a03:b0c0:2:d0::349e:1001   3600  
NS	domain.com      directs to     ns3.digitalocean.com.    1800 
NS	domain.com      directs to     ns1.digitalocean.com.     1800 
NS	domain.com      directs to     ns2.digitalocean.com.     1800

In addition, i want to tell that i was able to visit my subdomain.domain.com for a while and use PhPPgAdmin. But after indexing i got this ERROR

Your connection is not private

Attackers might be trying to steal your information from subdomain.domain.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
 
Automatically send some system information and page content to Google to help detect dangerous apps and sites. Privacy policy

ReloadHIDE ADVANCED
sybdomain.domain.com normally uses encryption to protect your information. When Google Chrome tried to connect to subdomain.domain.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be subdomain.domain.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit subdomain.domain.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Any firewalls disabled, not helped. If i ping my subdomain.domain.com it is fine with packages.

Nginx.conf

server {
         listen 443 ssl http2 default_server;
         listen [::]:443 ssl http2 default_server;

        root /var/www/domain/public;

        index index.php index.html index.htm index.nginx-debian.html;

        server_name domain.com;

        include snippets/ssl-domain.com.conf;
        include snippets/ssl-params.conf;
        location ~ /.well-known {
                allow all;
        }
         if ($scheme != "https") {
                return 301 https://$host$request_uri;
         } 

        location / {
                try_files $uri $uri/ /index.php?$query_string;
        }

     location ~ [^/]\.php(/|$) {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
                include fastcgi_params;
        }

        location ~ /\.ht {
                deny all;
        }
}

# PhpPgAdmin, redirect to phppgadmin for managing DB
server{
        server_name     subdomain.domain.com;
        root            /var/www/domain/phppgadmin;
        index index.php index.html index.html

        access_log      /var/log/phppgadmin/access.log;
        error_log       /var/log/phppgadmin/error.log;

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
               include fastcgi_params;
        }

        location / {
                allow   18*****
                deny    all;
        }
}

That is why i need to share my certeficate or issue new one for subdomain.domain.com.

Any ideas how to fix it?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

I guess you could try experimenting with self-signing your own ssh certificates, and see what happens. That might lead you to what’s causing the problem.

Wayne Sallee Wayne@WayneSallee.com

Still no luck, googling something like “lets encrypt nginx subdomain” or “digital ocean letsencrypt subdomain”, “digital ocean add subdomain” etc. I think i have added succesfully, but somehow not as lets encrypt needs. Because i was able navigate to my phppgadmin subdomain for a while, before it started redirect to https://. Still can not encrypt subdomain…

adding subdomain and again add subdomain set up lets encrypt