Docker-letsencrypt-nginx-proxy-companion: I am not able to generate SAN certificates for multiple domains

Created on 16 Jun 2016  路  20Comments  路  Source: nginx-proxy/docker-letsencrypt-nginx-proxy-companion

I have three Docker containers - gitlab, nexus and sonarqube. I set env properties like this for them:

gitlab:

VIRTUAL_HOST=gitlab.domain.net
LETSENCRYPT_HOST=gitlab.domain.net

nexus:

VIRTUAL_HOST=nexus.domain.net
LETSENCRYPT_HOST=nexus.domain.net

sonar:

VIRTUAL_HOST=sonar.domain.net
LETSENCRYPT_HOST=sonar.domain.net

When it is set like this, all is good, I can access website of each respective service and it is protected.

The problem is that I wanted to upload some artifacts to nexus and I got this error while doing so:

Caused by: javax.net.ssl.SSLException: Certificate for <nexus.domain.net> 
doesn't match any of the subject alternative names: [gitlab.domain.net]

Well ... it looks like I do not have that "SAN" thing enabled so I read in the README that I have to add "base" domain name to LETSENCRYPT_HOST for respective container in order to have it covered.

So I do it like this:

gitlab:

VIRTUAL_HOST=domain.net,gitlab.domain.net
LETSENCRYPT_HOST=domain.net,gitlab.domain.net

nexus:

VIRTUAL_HOST=domain.net,nexus.domain.net
LETSENCRYPT_HOST=domain.net,nexus.domain.net

sonar:

VIRTUAL_HOST=domain.net,sonar.domain.net
LETSENCRYPT_HOST=domain.net,sonar.domain.net

But the result of this is that I can not access first two services in browser (gitlab nor nexus) BUT I can access sonar. Looking into logs, all seems to be fine, both domain.net and _service_.domain.net are validated but it seems like sonar verification overwrote the first two.

How should I proceed?

What does that exception message even mean? Why it says something about gitlab service when I am operating upon nexus?

I have these dns records set:

A domain.net 1.2.3.4
A gitlab.domain.net 1.2.3.4
A mail.domain.net 1.2.3.4
A nexus.domain.net 1.2.3.4
A sonar.domain.net 1.2.3.4
MX domain.net mail.domain.net

I had also CN for *.domain.net but I deleted it so I enumerated services explicitly.

More info needed

Most helpful comment

try to put domain.net first on the list and add it into VIRTUAL_HOST for one container only

All 20 comments

@JrCs dont you have any idea or hint what could be wrong, please?

@smiklosovic try to create all the san in ONE certificate with:

gitlab:

VIRTUAL_HOST=gitlab.domain.net
LETSENCRYPT_HOST=domain.net,gitlab.domain.net,nexus.domain.net,sonar.domain.net

nexus:

VIRTUAL_HOST=nexus.domain.net
LETSENCRYPT_HOST=domain.net,gitlab.domain.net,nexus.domain.net,sonar.domain.net

sonar:

VIRTUAL_HOST=sonar.domain.net
LETSENCRYPT_HOST=domain.net,gitlab.domain.net,nexus.domain.net,sonar.domain.net

Doing as you suggested results into the disability to verify domain.net upon certificate generation.

Once I omit domain.net among hosts, all services are handled by certificate issued for github and all are handled by the same certificate even I put the respective domain to verify as the first one in LE HOST env variable - (maybe because the certificate for github is issued as the first one because it was the first container started?)

I think the win would be if that domain.net verification was ok but I do not see the way how to get it verified because there is that nginx container itself on port 80 which sits under le companion container.

try to put domain.net first on the list and add it into VIRTUAL_HOST for one container only

it failed to verify gitlab .... am I doing something wrong? are these steps idempotent? do I have to revoke something?

my workflow is that I just delete dir with generated certs and start all over again.

It 's ok to remove the dir with generated certs.
Perhaps the problem is the client that verify the certs. If it works with all domains from a browser, it must work also from client.

If you set VIRTUAL_HOST correctly (1 domain, 1 container) it must work.
And create a SAN certificat with LETSENCRYPT_HOST with all domain you need.

Any news ?

i have not tried it yet, i can give it a try tomorrow and let you know

try to put domain.net first on the list

LETSENCRYPT_HOST=domain.net,gitlab.domain.net

I had the same issue. This worked for me.

My issue is kind of related. I have managed to have certificate for. one of my subdomains, then it started to redirect all other subdomains and the main domain to an other container... so deleted all cert. re run everything.. problem again. deleted. cert again, and now I think I ran out.

how can I check if I have ran out of certificates?

Can I retrieve the already granted ones? as I have deleted them..

@b3nk3 the best is to look at the logs of the letsencrypt container.
I don't think you can retrieve old certs.

@JrCs will do thanks. Where is it located inside the container?

Other question... what is the best practise to get a domain fully covered with subdomains?

I was thinking to run a container just for the purpose of getting the certificates as follows:

VIRTUAL_HOST=mydomain.co.uk
LETSENCRYPT_HOST=mydomain.co.uk, *.mydomain.co.uk

With this setup, I should get the domain and all subdomains covered, including www., right?

So how would I provide access to www.subdomain.mydomain.co.uk ?

Sorry for the dumb questions, but I have never worked with certificates before.

@b3nk3 logs are not store in container. Use the docker logs command.
You can't request wildcard domain to letsencrypt. You need to specify each of them in LETSENCRYPT_HOST AND VIRTUAL_HOST (look at the readme)

@JrCs apologies, I understand now.

So what do you think is the best practice in covering my existing subdomains?

let's say, I want to cover the main domain + www obviously, then blog. and www.blog. domain.

Do I run a compose file with setting up my main site with all the required domains/subdomains?

VIRTUAL_HOST=domain.net
LETSENCRYPT_HOST=domain.net,www.domain.net,blog.domain.net,www.blog.domain.net 

And should I ever create a new subdomain with a new separate compose file, just add it in as

VIRTUAL_HOST=another.domain.net
LETSENCRYPT_HOST=another.domain.net

I want to have an understanding of this, so when my rates reset I won't blow them because of inaccuracies

If you have multiple backend webserver launch each one with docker and with the specific VIRTUAL_HOST/LETSENCRYPT_HOST variables.

FYI my issue seems to be fixed

@smiklosovic could you post the solution please?

i tried the hint of guy called m165437 above

i also try this like one month after i had problems, every subdomain seems to be signed properly

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Berndinox picture Berndinox  路  3Comments

mossholderm picture mossholderm  路  6Comments

nosovk picture nosovk  路  5Comments

rene-gomez picture rene-gomez  路  5Comments

DatAres37 picture DatAres37  路  5Comments