Obtaining a Certificate from Let's Encrypt for multiple FQDN

Hi Guys,

I have come across a curious problem, I have built a new Debian 9 server and am currently in the process of migrating everyone over from an older Debian 8 server.

Now the issue I seem to be having is that if i create a new virtual host I get all the correct domains associated with the domain

domain.com www.domain.com mail.domain.com autoconfig.domain.com autodiscover.domain.com

Which is great because I end up with an SSL certificate that covers all the important names, dovecot works well, as well as Usermin and webmin.

What I have noticed however is that the virtual hosts I migrate over have some of their FQDN missing.

for example I have one that has just has

domain.com www.domain.com

and thats where it ends, and another that has

domain.com www.domain.com autoconfig.domain.com autodiscover.domain.com

as you can see its missing mail.domain.com , this I thought wasn't a big deal I'll just add it below in the box titled "Domain Names Listed here" so I did just that but, Let's Encrypt does not like that and I receive the following error

Validating configuration for domain.com ..

.. no problems found

Requesting a certificate for domain.com, mail.domain.com, www.domain.com, autoconfig.domian.com, autodiscover.domain.com from Let's Encrypt .. .. request failed : Web-based validation failed : Failed to request certificate :

mail.domain.com challenge did not pass: Invalid response from http://mail.domain.com/.well-known/acme-challenge/nYNGihbLT0R1J4dQ8PuhvDZgyLrqT0u0FQI4PfdGuoM [xxx.xxx.xxx.xxx]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

DNS-based validation failed : Failed to request certificate :

Gave up waiting for validation

Though when I go and check the DNS records mail.domain.com is there and I can connect to it on the server, any idea on what is wrong and where I can fix it?

Is there a config file or a text file that the SSL module gets the FQDN from that it offers to Let's Encrypt?

Status: 
Closed (fixed)

Comments

Howdy -- thanks for contacting us!

Well, you've been using Virtualmin a long time there... long enough that your server likely pre-dates when we began adding some of those aliases to the Apache config.

Names like mail.domain.tld and autoconfig.domain.tld were added relatively recently (maybe 2-3 years ago?)... it probably coincided with the availability of the free Let's Encrypt SSL certificates.

The name mail.domain.tld did exist in DNS before then, but there wouldn't have been a need to add it to the Apache config, as most people weren't getting SSL certificates for that (which is the main reason it's added into Apache now).

As far as how to resolve that problem now --

The simplest way to handle that would probably be to manually tweak the Apache config for those domains in question.

That is, look in /etc/apache2/sites-enabled/domain.conf, and in there, look for the "ServerAlias" lines. You'll likely see two ServerAlias likes that look like "www.domain.tld".

What you'd need to do is add a second ServerAlias line under each of those reading:

ServerAlias mail.domain.tld

And then do the same for any other of the aliases which Virtualmin automatically adds now (such as autoconfig).

Once you do that, restart Apache, and then see if going to "mail.domain.tld" shows you the site you'd expect for that domain.

If that works, you should then be able to request an SSL certificate that includes the new alias you added.

Hi andreychek,

Thanks for that info, yes indeed we have been using virtualmin for a long time.

Currently on our 3rd migration, so we have quite a few old virtual hosts that we have been dragging from server to server.

The one thing that you didn't mention in your solution is that even after you update the

/etc/apache2/sites-enabled/domain.conf

file correctly, the domains wont show up in the lets Encrypt tab until you also add them to the DNS zone for the domain and then restart the Bind service.

My bad! I actually thought Virtualmin always was creating a mail.domain.tld DNS entry, but it sounds like that wasn't always the case.

I'm glad you figured that out though, thanks for letting us know!

Feel free to let us know if you have any additional questions.

No Problem happy to help.

Status: Fixed ยป Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.