SOLVED Alternative Name gone after renewing *.wildcard cert

Status
Not open for further replies.
F

FunkStar

Member
Jun 16, 2017
33
1
8
Hi

Since 2018 we've been manually renewing our wildcard cert for fusionpbx using Let's Encrypt. Following this guide: https://docs.fusionpbx.com/en/latest/getting_started/lets_encrypt.html?highlight=ssl#wildcard

Yesterday the cert expired and I renewed it but suddenly I only got 1 challenge instead of the usual two.
After closer inspection I've noticed that the alternative name was removed from the cert.

So

a.voip-fusion.com
b.voip-fusion.com
c.voip-fusion.com
you get the point...

Still works

But the main domain "voip-fusion.com" domain gives a cert expired error.

I've looked at the code and I have no idea why, it still seems fine:

Bash: 
#request the certificates
if [ .$wildcard_domain = ."true" ]; then
    ./dehydrated --cron --domain *.$domain_name --preferred-chain "ISRG Root X1" --algo rsa --alias $domain_alias --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh
fi

Maybe Let's Encrypt changed something? Maybe something that Dehydrated changed?
Anyone able to help on how to get the Alternative Name back into the wildcard cert using the ./letsencrypt.sh script.
 
Forgive me, as I've never used that bundled script but are the domain names in the certificate or not?

openssl x509 -noout -text -in fullchain.pem | grep voip-fusion
 
hfoster said:
Forgive me, as I've never used that bundled script but are the domain names in the certificate or not?

openssl x509 -noout -text -in fullchain.pem | grep voip-fusion
Click to expand...
1660837479824.png

The cert only contains *.voip-fusion.com where in the past it also contained voip-fusion.com
Subdomains are secure but the main domain isn't.

Code: 
./dehydrated --cron --domain *.$domain_name --preferred-chain "ISRG Root X1" --algo rsa --alias $domain_alias

the dehydrated does give a $domain_alias so no idea why it isn't setting it.

You can check the script here: https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/debian/resources/letsencrypt.sh
 
Is it because you have to use alternative names instead of an alias for it to work as per:

github.com

dehydrated/docs/domains_txt.md at master · dehydrated-io/dehydrated

letsencrypt/acme client implemented as a shell-script – just add water - dehydrated-io/dehydrated
github.com github.com

This line looks like it's incorrect:

Bash: 
#create an alias when using wildcard dns
if [ .$wildcard_domain = ."true" ]; then
    echo "*.$domain_name > $domain_name" > /etc/dehydrated/domains.txt
fi

Which should be without the right chevron:

Bash: 
#create an alias when using wildcard dns
if [ .$wildcard_domain = ."true" ]; then
    echo "*.$domain_name $domain_name" > /etc/dehydrated/domains.txt
fi

And the following:

Bash: 
if [ .$wildcard_domain = ."true" ]; then
    ./dehydrated --cron --domain *.$domain_name --preferred-chain "ISRG Root X1" --algo rsa --alias $domain_alias --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh
fi

Should be:

Bash: 
if [ .$wildcard_domain = ."true" ]; then
    ./dehydrated --cron --domain *.$domain_name $domain_alias --preferred-chain "ISRG Root X1" --algo rsa --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh
fi

Sorry I can't test it, I haven't really got the domains to mess around with the current moment in time.
 
Thanks @hfoster you pointed me in the right direction.

First we still had some troubles with the hook script too. Noticed they changed github repo because "https://github.com/owhen/dns-01-manual.git" didn't exist anymore. But now it links to https://github.com/sebastiansterk/dns-01-manual. While the git update links to https://github.com/gheja/dns-01-manual.git.

Changing gheja to sebastiansterk fixed the hook part.

link to change: https://github.com/fusionpbx/fusionpbx-install.sh/pull/239 -> https://github.com/fusionpbx/fusionpbx-install.sh/commit/6f40d5f57a285f4e819878a9a2329527a9906c55


Then the script had some errors:

This should be with a chevron less (like you said) but also first the non wildcard domain.

Bash: 
#create an alias when using wildcard dns
if [ .$wildcard_domain = ."true" ]; then
    echo "$domain_name *.$domain_name" > /etc/dehydrated/domains.txt
fi

and this was completely wrong, this wasn't even using the domains.txt ...

It should be --domains-txt instead of --domain and -alias can only be used with --domain and not --domains-txt so should also be removed.

Bash: 
if [ .$wildcard_domain = ."true" ]; then
./dehydrated --cron --domains-txt /etc/dehydrated/domains.txt --preferred-chain "ISRG Root X1" --algo rsa --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh
fi
 
Status
Not open for further replies.
Top Bottom