SOLVED Alternative Name gone after renewing *.wildcard cert

Status
Not open for further replies.
F

FunkStar

Member
Jun 16, 2017
33
1
8
Hi

Since 2018 we've been manually renewing our wildcard cert for fusionpbx using Let's Encrypt. Following this guide: https://docs.fusionpbx.com/en/latest/getting_started/lets_encrypt.html?highlight=ssl#wildcard

Yesterday the cert expired and I renewed it but suddenly I only got 1 challenge instead of the usual two.
After closer inspection I've noticed that the alternative name was removed from the cert.

So

a.voip-fusion.com
b.voip-fusion.com
c.voip-fusion.com
you get the point...

Still works

But the main domain "voip-fusion.com" domain gives a cert expired error.

I've looked at the code and I have no idea why, it still seems fine:

Bash: 
#request the certificates
if [ .$wildcard_domain = ."true" ]; then
    ./dehydrated --cron --domain *.$domain_name --preferred-chain "ISRG Root X1" --algo rsa --alias $domain_alias --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh
fi

Maybe Let's Encrypt changed something? Maybe something that Dehydrated changed?
Anyone able to help on how to get the Alternative Name back into the wildcard cert using the ./letsencrypt.sh script.
 
hfoster

hfoster

Active Member
Jan 28, 2019
677
80
28
34
Forgive me, as I've never used that bundled script but are the domain names in the certificate or not?

openssl x509 -noout -text -in fullchain.pem | grep voip-fusion
 
F

FunkStar

Member
Jun 16, 2017
33
1
8
hfoster said:
Forgive me, as I've never used that bundled script but are the domain names in the certificate or not?

openssl x509 -noout -text -in fullchain.pem | grep voip-fusion
Click to expand...
1660837479824.png

The cert only contains *.voip-fusion.com where in the past it also contained voip-fusion.com
Subdomains are secure but the main domain isn't.

Code: 
./dehydrated --cron --domain *.$domain_name --preferred-chain "ISRG Root X1" --algo rsa --alias $domain_alias

the dehydrated does give a $domain_alias so no idea why it isn't setting it.

You can check the script here: https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/debian/resources/letsencrypt.sh
 
hfoster

hfoster

Active Member
Jan 28, 2019
677
80
28
34
Is it because you have to use alternative names instead of an alias for it to work as per:

github.com

dehydrated/docs/domains_txt.md at master · dehydrated-io/dehydrated

letsencrypt/acme client implemented as a shell-script – just add water - dehydrated-io/dehydrated
github.com github.com

This line looks like it's incorrect:

Bash: 
#create an alias when using wildcard dns
if [ .$wildcard_domain = ."true" ]; then
    echo "*.$domain_name > $domain_name" > /etc/dehydrated/domains.txt
fi

Which should be without the right chevron:

Bash: 
#create an alias when using wildcard dns
if [ .$wildcard_domain = ."true" ]; then
    echo "*.$domain_name $domain_name" > /etc/dehydrated/domains.txt
fi

And the following:

Bash: 
if [ .$wildcard_domain = ."true" ]; then
    ./dehydrated --cron --domain *.$domain_name --preferred-chain "ISRG Root X1" --algo rsa --alias $domain_alias --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh
fi

Should be:

Bash: 
if [ .$wildcard_domain = ."true" ]; then
    ./dehydrated --cron --domain *.$domain_name $domain_alias --preferred-chain "ISRG Root X1" --algo rsa --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh
fi

Sorry I can't test it, I haven't really got the domains to mess around with the current moment in time.
 
F

FunkStar

Member
Jun 16, 2017
33
1
8
Thanks @hfoster you pointed me in the right direction.

First we still had some troubles with the hook script too. Noticed they changed github repo because "https://github.com/owhen/dns-01-manual.git" didn't exist anymore. But now it links to https://github.com/sebastiansterk/dns-01-manual. While the git update links to https://github.com/gheja/dns-01-manual.git.

Changing gheja to sebastiansterk fixed the hook part.

link to change: https://github.com/fusionpbx/fusionpbx-install.sh/pull/239 -> https://github.com/fusionpbx/fusionpbx-install.sh/commit/6f40d5f57a285f4e819878a9a2329527a9906c55


Then the script had some errors:

This should be with a chevron less (like you said) but also first the non wildcard domain.

Bash: 
#create an alias when using wildcard dns
if [ .$wildcard_domain = ."true" ]; then
    echo "$domain_name *.$domain_name" > /etc/dehydrated/domains.txt
fi

and this was completely wrong, this wasn't even using the domains.txt ...

It should be --domains-txt instead of --domain and -alias can only be used with --domain and not --domains-txt so should also be removed.

Bash: 
if [ .$wildcard_domain = ."true" ]; then
./dehydrated --cron --domains-txt /etc/dehydrated/domains.txt --preferred-chain "ISRG Root X1" --algo rsa --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh
fi
 
Status
Not open for further replies.
Top Bottom