Multiple subdomains with -d simply doesn't work (in my case (certonly webroot)) #1946

Closed
hedefalk opened this Issue Dec 18, 2015 · 14 comments

Projects

None yet

4 participants

@hedefalk

Doing something like:

./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email hedefalk@gmail.com -d jenkins.woodenstake.se -d repo.woodenstake.se

does not work. I only get certs for the first domain. Running them individually works fine.

@bmw
Contributor
bmw commented Dec 18, 2015

When you include multiple domain names on the command line, Let's Encrypt gives you a single SANs certificate containing all the domain names you requested. Have you checked the SANs extension of the certs?

@bmw bmw added the more-info label Dec 18, 2015
@KeiroD
KeiroD commented Dec 18, 2015

I can confirm that this also happens on a box that has LE installed.

I don't unfortunately recall the errors that I had when attempting to use the -d domaina.com -d domainb.com but it results in an error saying... actually, I remember now.

It was saying something similar to client not authorized. I'd have to rerun the commands to get the exact errors when I tried to do that with both standalone and certonly mode.

@KeiroD
KeiroD commented Dec 18, 2015

OK, here's what I got for mine:

Failed authorization procedure. www.heimkoma.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found incapsula.com, *.app.nestlebaby.ru, *.armatuequipo.mx, *.asknlearn.com, *.auth0.com, *.bankruptcy-america.com, *.banpais.hn, *.bizbazz.co.il, *.btlnestlecwa.com, *.cdiscount.cm, *.collectorsystems.com, *.consensuscorpdev.com, *.contoursbaby.com, *.de.chef-professional.com, *.de.emea.boservices.dolce-gusto.com, *.dev.medibank.com.au, *.directorsdesk.com, *.dome9.com, *.edmundoptics.com, *.fabguys.com, *.farmbuildings.com, *.finconsum.es, *.fwi.co.uk, *.fxoptimax.com, *.help724.com, *.hrcont.com, *.immigration-quebec.gouv.qc.ca, *.imperva.de, *.implementsdirect.com.au, *.infrastructureontario.ca, *.leclubnestleantillesguyane.fr, *.lmgfiles.com, *.logitechgpromo.com, *.lowndescounty.com, *.menulog.com, *.mey-edlich.de, *.minnbankersinsurance.com, *.mirantis.ru, *.nescafe-barista.ch, *.nescafe-milano.co.za, *.nestle-estrellitas.com, *.nestle-goodfoodgoodlife.ca, *.nestlecontact.com, *.progaming-sys.com, *.purina.dk, *.qa-shopathome.com, *.rateabowl.com, *.ribbit.me, *.ribbitrewards.me, *.roguecanada.ca, *.smartservice.qld.gov.au, *.sportsingapore.gov.sg, *.spotoption.com, *.stage.nest.lu, *.sumasa.net, *.support.nestlebaby.com, *.todosparauno.net, *.tritondigitalcms.com, *.uniport.net, *.universalmusicmagazine.com, *.votensw.info, *.winiary.pl, *.www.special-t.com, armatuequipo.mx, bankruptcy-america.com, bizbazz.co.il, btlnestlecwa.com, cdiscount.cm, collectorsystems.com, contoursbaby.com, fabguys.com, farmbuildings.com, finconsum.es, fwi.co.uk, help724.com, immigration-quebec.gouv.qc.ca, implementsdirect.com.au, leclubnestleantillesguyane.fr, lmgfiles.com, logitechgpromo.com, mey-edlich.de, minnbankersinsurance.com, mirantis.ru, nescafe-barista.ch, nescafe-milano.co.za, nestle-estrellitas.com, nestle-goodfoodgoodlife.ca, nestlecontact.com, purina.dk, rateabowl.com, ribbit.me, ribbitrewards.me, roguecanada.ca, smartservice.qld.gov.au, sportsingapore.gov.sg, stage.nest.lu, sumasa.net, todosparauno.net, uniport.net, universalmusicmagazine.com, votensw.info, heimkoma.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found incapsula.com, *.app.nestlebaby.ru, *.armatuequipo.mx, *.asknlearn.com, *.auth0.com, *.bankruptcy-america.com, *.banpais.hn, *.bizbazz.co.il, *.btlnestlecwa.com, *.cdiscount.cm, *.collectorsystems.com, *.consensuscorpdev.com, *.contoursbaby.com, *.de.chef-professional.com, *.de.emea.boservices.dolce-gusto.com, *.dev.medibank.com.au, *.directorsdesk.com, *.dome9.com, *.edmundoptics.com, *.fabguys.com, *.farmbuildings.com, *.finconsum.es, *.fwi.co.uk, *.fxoptimax.com, *.help724.com, *.hrcont.com, *.immigration-quebec.gouv.qc.ca, *.imperva.de, *.implementsdirect.com.au, *.infrastructureontario.ca, *.leclubnestleantillesguyane.fr, *.lmgfiles.com, *.logitechgpromo.com, *.lowndescounty.com, *.menulog.com, *.mey-edlich.de, *.minnbankersinsurance.com, *.mirantis.ru, *.nescafe-barista.ch, *.nescafe-milano.co.za, *.nestle-estrellitas.com, *.nestle-goodfoodgoodlife.ca, *.nestlecontact.com, *.progaming-sys.com, *.purina.dk, *.qa-shopathome.com, *.rateabowl.com, *.ribbit.me, *.ribbitrewards.me, *.roguecanada.ca, *.smartservice.qld.gov.au, *.sportsingapore.gov.sg, *.spotoption.com, *.stage.nest.lu, *.sumasa.net, *.support.nestlebaby.com, *.todosparauno.net, *.tritondigitalcms.com, *.uniport.net, *.universalmusicmagazine.com, *.votensw.info, *.winiary.pl, *.www.special-t.com, armatuequipo.mx, bankruptcy-america.com, bizbazz.co.il, btlnestlecwa.com, cdiscount.cm, collectorsystems.com, contoursbaby.com, fabguys.com, farmbuildings.com, finconsum.es, fwi.co.uk, help724.com, immigration-quebec.gouv.qc.ca, implementsdirect.com.au, leclubnestleantillesguyane.fr, lmgfiles.com, logitechgpromo.com, mey-edlich.de, minnbankersinsurance.com, mirantis.ru, nescafe-barista.ch, nescafe-milano.co.za, nestle-estrellitas.com, nestle-goodfoodgoodlife.ca, nestlecontact.com, purina.dk, rateabowl.com, ribbit.me, ribbitrewards.me, roguecanada.ca, smartservice.qld.gov.au, sportsingapore.gov.sg, stage.nest.lu, sumasa.net, todosparauno.net, uniport.net, universalmusicmagazine.com, votensw.info

Hmm. Interesting, looks like this happens because I included heimkoma.com and www.heimkoma.com

Rerunning without -d heimkoma.com -d www.heimkoma.com produces a different error now.

VirtualHost not able to be selected.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/poir.heimkoma.com/fullchain.pem. Your cert
   will expire on 2016-03-17. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.

This happened because apparently moriya.heimkoma.com was not detected by letsencrypt-auto... probably because VestaCP likes to shove nginx and apache2 configs into home user directories inside /home/$USER/conf/web.

I think this is because I individually ran the certs and got them installed when I ran into the error mentioned by @hedefalk.

@bmw
Contributor
bmw commented Dec 18, 2015

@KeiroD, it appears you have a few misunderstandings about how the client works and I'd recommend that you take a look at our docs.

Based on what you've said, however, it appears that the problems you are having are unrelated to the one described in the original post. To try the method described there, check out the webroot plugin in the documentation I linked above.

@KeiroD
KeiroD commented Dec 18, 2015

@bmw Possibly. I've read the docs... but that doesn't invalidate the fact that when I ran the tool and was not able to generate a SAN certificate in much the same way he did.

What I should've done was to copy the errors that I encountered when attempting to use letsencrypt-auto that demonstrates the issue rather nicely. Unfortunately, I didn't think to, and so I tried to reproduce it in the comment before yours just now... with obvious different results.

Basically, what I'm just saying is that it's not just @hedefalk that experienced the issue. I have no issues in running letsencrypt-auto for individual subdomains. Just when I try to run letsencrypt-auto for multiple domains with the -d domaina.com and -d domainb.com as per the docs when using standalone.

Obviously he's using webroot but it seems to be happening across both webroot and standalone.

@hedefalk

@bmw Oh, didn't know about SAN certificates. I can't do anything now though since I've seem to struck some quota:

"There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: woodenstake.se"

Don't know if this is per day quota or hour or too many certs for this domain.

@KeiroD
KeiroD commented Dec 18, 2015

@hedefalk Yup, 5 certs per week or so, something similar. There's a rate-limit in place but I don't know when that'll be raised.

@hedefalk hedefalk referenced this issue in janeczku/haproxy-acme-validation-plugin Dec 18, 2015
Closed

Problems getting up and running… #1

@bmw
Contributor
bmw commented Dec 18, 2015

@hedefalk, one work around for that is to include --test-cert on the command line. The certificate you get from running the client that way won't be trusted in browsers, but allows to test the client without worrying about rate limits.

@cvette
cvette commented Dec 22, 2015

I can confirm this problem using the standalone installer. Subject Alternative Name shows the main domain, even if I add more subdomains.

 X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 Subject Key Identifier: 
            xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        X509v3 Authority Key Identifier: 
            keyid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

        Authority Information Access: 
            OCSP - URI:http://ocsp.int-x1.letsencrypt.org/
            CA Issuers - URI:http://cert.int-x1.letsencrypt.org/

        X509v3 Subject Alternative Name: 
            DNS:mydomain.de
        X509v3 Certificate Policies: 
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org
              User Notice: ...
@bmw
Contributor
bmw commented Dec 23, 2015

@cvette, to clarify, you're saying you ran the client asking for multiple domains (either specified on the command line or typed in at the prompt asking for domains) and the certificate you received only has a single name in it?

It's possible the certificate could be saved somewhere other than where you expected. Assuming you haven't changed it, letsencrypt saves certificates under /etc/letsencrypt/live. There may be multiple folders in here. If the client ran successfully (didn't exit with an error message) and you haven't ran the client since, one of the folders here should have a certificate for all of the SANs you requested.

@cvette
cvette commented Dec 23, 2015

That's correct. However, I'm unable to reproduce it.

@hedefalk

Ok, the SAN extensions seems to be working fine for me. Alright if I close or is anyone having issues still?

I'm having another question though: I can't seem to understand what logic determines WHERE the SAN cert gets put. It's not the first domain (woodenstake.se in my example):

viktor@i7:~/letsencrypt$ sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se --break-my-certs
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/**repo.woodenstake.se**/fullchain.pem. Your cert
   will expire on 2016-03-28. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
@bmw
Contributor
bmw commented Jan 5, 2016

I'm closing this issue. If the issue remains for anyone, comment and I'll reopen.

@hedefalk, with --renew-by-default on the command line, if the names you are requesting are equal to or a superset of the names in a currently existing certificate, the existing certificate should be renewed. Otherwise, the new certificate would be stored in /etc/letsencrypt/live/<domain> where <domain> is the first specified domain. Is it possible you had a preexisting certificate?

@bmw bmw closed this Jan 5, 2016
@hedefalk
hedefalk commented Jan 7, 2016

@bmw Ah, yes, I almost certainly had existing certs :)

I'll try it out without --renew-by-default and put the top domain first so that it'll be easier to script the whole thing…

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment