LetsEncrypt Issue with subdomains

I had a few issues with invalid subdomain certificates using the LetsEncrypt(LE) feature on Virtualmin.
So here is my situation. I have a VM on OVH with a single failover IP. I have virtualmin installed on the VM and I have about a dozen domains that share the same IP. I use lets encrypt to create my SSL certificates and all is good…except when I use LE for subdomains. When I create my subdomains (client1.domain.com, client2.domain.com, etc.,) they all use the parent common name rendering them INVALID. SO client1.domain.com uses the cert that validates to main parent domain.com which is not good. Now when I remove SSL from the parent “domain.com” and request new certs for all of my subdomains it works and each subdomain certificate is valid - the common names are correct client1.domain.com validates to client1.domain.com instead of “domain.com”. So the question is - is this a bug, am I doing it wrong - is there another way for me to do this?

Hi,

Don’t create them as sub-domains - in case a client is a different person, it’s always better to create new virtual-server instead of a sub-domain, to have separate everything. You could use Server Configuration/Move Virtual Server and convert it to parent.

So the question is - is this a bug, am I doing it wrong - is there another way for me to do this?

No, I don’t think it’s a bug.

Yes I tried that as well. Create virtual server and use client1.domain.com as a top level domain. Same problem. When I create the initial server the parent domain.com is there a way to do it so that it doesn’t share the common name with subsequent domains whether it’s a sub domain or as a top level domain?

The only way I was able to fix this was to remove the Parent domain ssl in edit virtual server. This is not a good solution if I want to have a parent domain with ssl as each client gets their own domain.

Remember to add the sub domain dns entry on your NS you are hosted at. Otherwise the SSL will not generate.

client1.domain.com A record “IP Address of Server” 7201
*.client1.domain.com A record “IP Address of Server” 7201

It was actually working before with CName too but since the last 2 updates it won’t work anymore. We have subdomain CNames which still have the valid SSL Lets Encrypt certificate got generated but since the last two updates that seems to be no more working

ValueError: Wrote file to /home/group-name/domains/sub.domain.tld/public_html/.well-known/acme-challenge/S4WQKt43bh-QoYhUhl_5K5edh34wZGZzGeSUN8LG5Jw, but couldn’t download http://sub.domain.tld/.well-known/acme-challenge/S4WQKt43bh-QoYhUhl_5K5edh34wZGZzGeSUN8LG5Jw: Error:
Url: http://sub.domain.tld/.well-known/acme-challenge/S4WQKt43bh-QoYhUhl_5K5edh34wZGZzGeSUN8LG5Jw

It says the file got written which is actually NOT the case at all!

Try setting these two to use default. That did the trick for me.

Thanks that did the trick for me too - but it also seems to be a BUG as that shoudl NOT happen at all and it worked now even the record is a CNAME record and NOT as mentioned before in other proposed solutions which did not work at all an A record. I hope they will fix that soon as this issue is blocking the automatic creation of SSL certificates. Also we realized that now always a mai.domain.tld gets created even no mail is needed on the specific account. Also this was before NOT the case and now happens with all new created mails - all our domains run via google mail and don’t need that mail domain at all.
There seems to be no way to do a setting that both - the SSL settings you mentioned and the no more created mail.name.tld happens.

Thanks a lot for your help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.