LE SSL Certificate Guidance

[sebasira]

Operating System (OS/VERSION):

Ubuntu 18.04 Ubuntu 14.04

VestaCP Version:

0.9.8-24 (latest as of today)

Other Notes:

I have setup my first SSL certificate for my site (let's name it mysite.com) using this lines:

v-add-letsencrypt-domain 'admin' mysite.com '' 'yes'
v-update-host-certificate admin mysite.com
echo "UPDATE_HOSTNAME_SSL='yes'" >> /usr/local/vesta/conf/vesta.conf

And I can confirm that accessing to https://mysite.com is secured (it has the lock icon and I can see the valid certificate).

But there are somethings I don't know how to do:

1- If in the browser I type mysite.com it enters via HTTP... but if I type www.mysite.com it does it via HTTPS. How can I force it to always be HTTPS for this single site (not the entire domains in Vesta). I've seen several post about configuring nginx or apache, even .htaccess but I don't know how to do that.

2- Vesta is hosted on a DigitalOcean droplet, where I have configured a CNAME record named ftp be an alias of mysite.com but when I login to the FTP with FileZilla I get that the hostname does not match. (this is because the certificate is for mysite.com and not for ftp.mysite.com if I'm correct)I was told that what I need is a wildcard certificate. Is that correct? Can anyone tell me how to configure it?

Thank you very much!

(please bear with me as I'm not used to manage SSL certificates, ngnix or apache)

[tlcd96]

v-add-letsencrypt-domain user domain.tld *.domain.tld

[tlcd96]

then, you can add it to the host cert and the ftp.domain.tld should work after you have the new cert (it it is associated with the domain.tld)

[sebasira]

@skullwritter thanks for your reply, I've been able to test it today...

This is what I issued:

v-add-letsencrypt-domain 'my-user' domain.com.ar *.domain.com.ar '' 'yes'

And I get:

Error: Let's Encrypt validation status 400

Then I try with:

v-add-letsencrypt-domain 'my-user' *.domain.com.ar '' 'yes'

which gave me:

Error: invalid domain format :: *.domain.com.ar

The only thing that worked out was:

v-add-letsencrypt-domain 'my-user' domain.com.ar '' 'yes'

which is the same as in my original post, so ftp.domain.com.ar is still showing the wrong cert error

Any ideas? Am I missing something?

[sebasira]

I've been reading this other issue :https://github.com/serghey-rodin/vesta/issues/1886

It lead me to verify the content of my v-add-letsencrypt-domain and v-add-letsencrypt-user scripts and they were updated. Any way, just in case I've perform the steps described by @ScIT-Raphael here: https://github.com/serghey-rodin/vesta/issues/1886#issuecomment-535360892

I was still getting the 400 status error. And reading even more, I realize (correct me if I'm wrong) that I was issuing the command badly. So I try with

v-add-letsencrypt-domain my-user domain.com.ar *.domain.com.ar

But the error refuses to go. What can I do?

[sebasira]

Just for the record, I'm using Ubuntu 14.04. I know it's old, but it's a production server and I'm scared to upgrade it and vanish every site

[sebasira]

Updates on this!

After a lot of trial and error, I execute this other command and they worked out:

v-add-letsencrypt-domain my-user domain.com.ar ftp.domain.com.ar

I needed to manually define each alias, not use a wildcard. Even test it with more aliases:

v-add-letsencrypt-domain my-user domain.com.ar ftp.domain.com.ar www.domain.com.ar

And all those work and I can confirm that the message hostname does not match is not thrown when, for example, I visit https://www.domain.com.ar. Before doing this the browser throws me a warning about hostname does not match

I would like to make the wildcard work. I'm guessing that the problem could be related to DNS records configuration. I have manually created the CNAME records for ftp and www both pointing to domain.com.ar., in my DigitalOcean Networking panel. Maybe I'm missing something there.

Thanks in advance!

EDIT

About DNS records, what confuses me is that I the DigitalOcean Networking panel I have:

CNAME ftp.domain.com.ar is an alias of domain.com.ar. CNAME www.domain.com.ar is an alias of domain.com.ar.

But I've just entered the DNS configuration on Vesta Panel and I have this:

A ftp pointing to IP A www pointing to IP

I know as much as nothing about DNS records and I don't know if this is correct or if it could be the source of the problem

[ScIT-Raphael]

@sebasira LE Wildcard Certificates always needs a validation over dns. The current implementation of vesta/let's encrypt will create the required dns record - the problem is if you use external dns servers and not the integrated vesta one (even a master cluster setup will be synced all 5 minutes anyway), the record is not visible for let's encrypt validation servers. That's the reason it will throw out always a 400 validation error.

[sebasira]

@ScIT-Raphael, thank you for your reply!

I was using the external DNS server because I did not know that vesta will configure them for me. So, how should I setup the DNS or what should I do in order to validate a wildcard certificate?

What I don't get is why works using

v-add-letsencrypt-domain my-user domain.com.ar ftp.domain.com.ar www.domain.com.ar

And I can confirm you that in the vesta panel a record named _acme_challenge is created

[throny]

@ScIT-Raphael Wow, thank you! I was so confused by that. I had an external DNS and just got 400 all the time. It would be great to mention that WC SSL doesn't work with ext. DNS providers.

However, I tried just creating a TXT record with the _acme-challenge value from local DNS to ext. DNS but that won't work as the acme-challenge keeps changing. Is there any way to get it working without using the local DNS?

[ScIT-Raphael]

@throny Currently, this is not possible. It is on the pending list from our fork hestia, but no release date yet: https://github.com/hestiacp/hestiacp