New cert on CNAME, Let's Encrypt - nginx - Debian 9

April 1, 2018 186 views
Let's Encrypt Debian

Hi!

I'm new to SSL and trying to configure Let's Encrypt on a Debian 9 droplet with nginx.
I managed to install let's encrypt on my own domain (mydomain.com) but forgot to add www.mydomain.com which is registered on namesilo as a CNAME.

I tried the following command:

certbot --nginx -d www.mydomain.com

This gave me the following output:

Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.mydomain.com
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/default for www.mydomain.com
nginx: [emerg] duplicate listen options for [::]:443 in /etc/nginx/sites-enabled/default:216
Rolling back to previous server configuration...
nginx restart failed:
b''
b''

IMPORTANT NOTES:
 **- We were unable to install your certificate, however, we
   successfully restored your server to its prior configuration.**
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.mydomain.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.mydomain.com-0001/privkey.pem
   Your cert will expire on 2018-06-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

I also tried:

certbot certonly -a webroot --webroot-path=/var/www/html -d www.mydomain.com

And this time it gave me:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close 
o expiry.
(ref: /etc/letsencrypt/renewal/www.mydomain.com-0001.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.mydomain.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.mydomain.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.mydomain.com-0001/privkey.pem
   Your cert will expire on 2018-06-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

But when accessing www.mydomain.com it does not provide SSL.

Is there an easy way to clean up my mess? And also.. Whats the correct way of deploying SSL when creating new CNAMEs like www.mydomain.com, test.mydomain.com etc...

This whole thing is a bit confusing. And since Let's Encrypt now offers wildcards, shouldn't this be an easy thing to do?

1 Answer

As per google, www should be an A record. Not CNAME. I have update this on namesilo.

Have another answer? Share your knowledge.