2

I have recently set up a cloud via Nextcloud. I have successfully signed a certificate for my domain https://mydomain.home.com (of cource my real domain is different). This all worked out just fine. But now i also wanted to have the certificate for "www.mydomain.home.com". But this doesn't work. 

nc -z -v -w5 mydomain.home.com 80

Reports:

DNS fwd/rev mismatch: mydomain.home.com != host-blabla
mydomain.home.com [255.255.255.255] 80 (http) open

So port 80 for the validation should be fine. This is how my nginx config looks like (sites-available/default)

server {
listen 80;
server_name *.mydomain.home.com;
# enforce https
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name *.mydomain.home.com;

ssl_certificate /etc/letsencrypt/live/mydomain.home.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.home.com/privkey.pem;

# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

# Path to the root of your installation
root /var/www/nextcloud/;

I used 

certbot certonly --webroot -w /var/www/mydomain.home.com -d 
mydomain.home.com -d www.mydomain.home.com

if i leave out the second domain with the www it works but the command above gives me the error message:

Failed authorization procedure. www.mydomain.home.com (http-01): 
urn:acme:error:connection :: The server could not connect to the client 
to verify the domain :: DNS problem: NXDOMAIN looking up A for 
www.mydomain.home.com

Why is that?

Also when i use 

certbot renew --dry-run

I only get:

Attempting to renew cert from 
/etc/letsencrypt/renewal/mydomain.home.com.conf produced an unexpected 
error: Failed authorization procedure. mydomain.home.com (http-01): 
urn:acme:error:connection :: The server could not connect to the client 
to verify the domain :: Fetching https://*.mydomain.home.com/.well-
known/acme-challenge/GwAAZEokTN1ByCuJUGP4t61mCeuTxIDKypd4DzhcfEg: Error 
getting validation data. Skipping.
Felix
  • 145
  • 1
  • 9
  • My problem was solved by adding example.com AND www.example.com to server_name (nginx). – Nitin Apr 22 '19 at 08:20

1 Answers1

0

I think that lets encrypt needs to access your server over http and not https. You need to make an exception for the .well-known directory in your http server block.

For example:

server {
    listen 80;
    server_name *.mydomain.home.com;

    location / {
        return 301 https://$server_name$request_uri;
    }
    location /.well-known/ {
        root /path/to/directory;
    }
}
server {
    listen 443 ssl;
    server_name *.mydomain.home.com;

    ssl_certificate ...;
    ssl_certificate_key ...;

    ...

    location /.well-known/ {
        root /path/to/directory;
    }
}
Richard Smith
  • 1,243
  • 1
  • 8
  • 13
  • Still doesn't work. I've added: `location '/.well-known/acme-challenge' { default_type "text/plain"; root /var/www/mydomain.home.com }` – Felix Sep 06 '17 at 14:18
  • Yes. I think i have to read up more on what i am actually doing. just copy pasting answers from stackexchange wont help in the future :-) I am just too much of a n00b but thx so far for all your help. If you have any suggenstions i'd gladly hear em. – Felix Sep 06 '17 at 14:27