search

interbrite / letsencrypt-vesta

Automate Let's Encrypt Certificate Installation for VestaCP
Other
217 stars 64 forks source link

www alias and mail subdomain problem #20

Closed twilson90 closed 8 years ago

twilson90 commented 8 years ago

I'm trying:

letsencrypt-vesta SITE_NAME SITE_NAME.com www.SITE_NAME.com mail.SITE_NAME.com

But because they're not listed as domains in my account, I get 2 warnings appear saying ' does not exist in the account', even though they are working urls.

I've checked the certificate to see if despite the warning the domains are added but they aren't.

Please help!

jpitoniak commented 8 years ago

As it stands right now, only the main domain name for a site (the one you enter in the "domain" field when adding the site) and any listed aliases (of which www.domain.com should normally be added automatically) are added to the certificate. The other A records that Vesta adds to a domain automatically (such as mail.domain.com and pop.domain.com) do not. I'll have to think about the best way to handle these in a future release.

Note that you can add mail.domain.com as an alias if you want it to be added to the certificate. Vesta won't comlain if you do this, but doing so will also add it to the webserver configuation for the site (making mail.domain.com) also resolve to the website. If it isn't listed as an alias and you try to go to mail.domain.com, usually the site of the main domain on the server (which, in my case is a default vesta index.html page) will resolve instead.

Thanks for the suggestion.

jpitoniak commented 8 years ago

I've thought about this a little more and realized that any subdomain names that you want to add to the certificate would have to be web accessible for the validation to go through (since letsencrypt-vesta uses webroot validation). So if you want those non-web subdomains added to your certificate, the easiest way to make it work is to just add them to the list of aliases, as I previously suggested. If you don't want them to be web accessible (other than to Let's Encrypt), you could edit your web server config appropriately. For example, the following would work in an .htaccess file, forcing a 403 (forbidden) error when either host was requested. The .htaccess would be processed after the Let's Encrypt aliasing happens, so Let's Encrypt would have no problem seeing the validation files.

RewriteEngine on
RewriteCond %{HTTP_HOST} mail.domain.com [OR]
RewriteCond %{HTTP_HOST} pop.domain.com
RewriteRule ^.*$ - [F,L]