search

littlebizzy / slickstack

Lightning-fast WordPress on Nginx
https://slickstack.io
GNU General Public License v3.0
629 stars 112 forks source link

Non-www version of SITE_DOMAIN fails to generate Let's Encrypt #34

Closed Bronislawsky closed 2 years ago

Bronislawsky commented 4 years ago

Here is my settings

SSL_TYPE="certbot" SSL_EMAIL="user@domain.net" SSL_EMAIL_ALERTS="false" WP_MULTISITE="false" SITE_TLD="domain.net" SITE_DOMAIN="www.domain.net"

in ss-encrypt this if block gets called

subdomain (www is irrelevant) + no email alerts (or missing)

elif [[ "$SSL_EMAIL_ALERTS" != "true" ]] && [[ $SITE_DOMAIN == ..* ]]; then o certbot delete --cert-name ${SITE_TLD} o certbot delete --cert-name ${SITE_DOMAIN} o certbot certonly --noninteractive --agree-tos --cert-name ${SITE_DOMAIN} -d ${SITE_DOMAIN} --register-unsafely-without-email --webroot -w /var/www/html/

I don't know if its de default behavior but domain.net doesn't end up with a valid SSL the SITE_TLD ends up with no cert

when calling www.domain.net it works but domain.net has cert for www.domain.net which fire a security warning

Bronislawsky commented 4 years ago

After reading the script carefully, I beleive to have domain.net and www.domain.net SITE_DOMAIN must be "domain.net" instead of www.domain.net I will update my ss-config SITE_TLD="domain.net" and SITE_DOMAIN="domain.net"

jessuppi commented 2 years ago

@Bronislawsky Thanks again for some of your early participation and bug reports, and sorry for my late replies.

I'm not sure I understand exactly what caused your TLD to have no Let's Encrypt SSL here, however, over the past year or so the ss-encrypt-certbot script (and others) have been improved, now they use:

So now the logic is much better, because the cert generation (and installation) doesn't assume anything, and every single server is treated the same in that both www and non-www versions of the certs are generated no matter what (unless the SITE_DOMAIN value in ss-config is determined to be a subdomain, in which case www version will be ignored).

Many other bugs and poor logic have also been fixed.

Ref: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-encrypt-certbot.txt

Also we deprecated SSL_EMAIL and SSL_EMAIL_ALERTS to keep Certbot management simpler. Going forward, SlickStack will not support including an email address in the cert generation. Thanks!