search

wmnnd / nginx-certbot

Boilerplate configuration for nginx and certbot with docker-compose
MIT License
3.14k stars 1.16k forks source link

Problems creating certificates with subdomains #118

Open hfuentes87 opened 2 years ago

hfuentes87 commented 2 years ago

Hello, I am trying to generate a certificate for an instant messaging system in Ubuntu Server 20.04, so I need the certificate to contain subdomains.

I added the subdomains in the init-letsencrypt.sh file:

domains=(simidea.com.ar chat.simidea.com.ar irc.simidea.com.ar mail.simidea.com.ar munim.simidea.com.ar proxy.simidea.com.ar transport.simidea.com.ar upload.simidea.com.ar webchat.simidea.com.ar webmail.simidea.com.ar www.simidea.com.ar)

And in the app.conf file, in the lines:

server {
    listen 80;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;
    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    location / {
        proxy_pass  http://simidea.com.ar,http://chat.simidea.com.ar, http://irc.simidea.com.ar, http://mail.simidea.com.ar, http://munim.simidea.com.ar, http://proxy.simidea.com.ar, http://transport.simidea.com.ar, http://upload.simidea.com.ar, http://webchat.simidea.com.ar, http://webmail.simidea.com.ar, http://www.simidea.com.ar;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

When I run the init-letsencrypt.sh script I get the following error on each of the subdomains:

### Requesting Let's Encrypt certificate for simidea.com.ar ...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for simidea.com.ar and 10 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: chat.simidea.com.ar
  Type:   connection
  Detail: Fetching http://chat.simidea.com.ar/.well-known/acme-challenge/okLh0IXNPKKyRBxN2ALGkU9htihXkUCDs_qYVrIDiVI:     Timeout during connect (likely firewall problem)`

If I remove the subdomains the certificate is generated but only for the main domain. Any idea what is causing the problem? Thank you

bashiru98 commented 2 years ago

i think am also facing the same issue, with main domains its working fine but for the subdomains it isnt working

JR1b commented 2 years ago

Hi, i have the same problem, have you found any solution?

DmitryKvant commented 2 years ago

Same issue

pikhovkin commented 2 years ago

chown -R www-data:www-data "$data_path/conf/live" and rerun init-letsencrypt.sh

kevin192291 commented 2 years ago

@pikhovkin What is this comment talking about? There is no directory like that here.

pikhovkin commented 2 years ago

@kevin192291 My comment suggests that this non-obvious issue might be related to permissions. Just try to set permissions to your configs

fabiobeoni commented 2 years ago

Hello, I am trying to generate a certificate for an instant messaging system in Ubuntu Server 20.04, so I need the certificate to contain subdomains.

I added the subdomains in the init-letsencrypt.sh file:

domains=(simidea.com.ar chat.simidea.com.ar irc.simidea.com.ar mail.simidea.com.ar munim.simidea.com.ar proxy.simidea.com.ar transport.simidea.com.ar upload.simidea.com.ar webchat.simidea.com.ar webmail.simidea.com.ar www.simidea.com.ar)

And in the app.conf file, in the lines:

server {
    listen 80;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    server_name simidea.com.ar, chat.simidea.com.ar, irc.simidea.com.ar, mail.simidea.com.ar, munim.simidea.com.ar, proxy.simidea.com.ar, transport.simidea.com.ar, upload.simidea.com.ar, webchat.simidea.com.ar, webmail.simidea.com.ar, www.simidea.com.ar;
    server_tokens off;
    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    location / {
        proxy_pass  http://simidea.com.ar,http://chat.simidea.com.ar, http://irc.simidea.com.ar, http://mail.simidea.com.ar, http://munim.simidea.com.ar, http://proxy.simidea.com.ar, http://transport.simidea.com.ar, http://upload.simidea.com.ar, http://webchat.simidea.com.ar, http://webmail.simidea.com.ar, http://www.simidea.com.ar;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

When I run the init-letsencrypt.sh script I get the following error on each of the subdomains:

### Requesting Let's Encrypt certificate for simidea.com.ar ...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for simidea.com.ar and 10 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: chat.simidea.com.ar
  Type:   connection
  Detail: Fetching http://chat.simidea.com.ar/.well-known/acme-challenge/okLh0IXNPKKyRBxN2ALGkU9htihXkUCDs_qYVrIDiVI:     Timeout during connect (likely firewall problem)`

If I remove the subdomains the certificate is generated but only for the main domain. Any idea what is causing the problem? Thank you

Did you find any solution? thanks.

hackrmomo commented 1 year ago

I'm facing this issue too. It seems to be a potential change in perhaps how nginx does stuff? I'm not sure. I'll update here in a bit. For now though, in theory, reverting the change https://github.com/wmnnd/nginx-certbot/commit/94c73dbf3f1b819feff469595c05eb8d3d3a93d9 Should (I think?) fix the issue. This will however create multiple certificates instead of one.

Edit: Turns out it works normally but you can't set environment list env variable using 

set -o allexport
source .env
set +o allexport

Second Edit: @hfuentes87, I noticed you still have example.org in your app.conf file under the second server block. it should be the first domain's name.