Lego: Cloudflare domain/subdomain Lego question?

Created on 3 Sep 2020  Â·  5Comments  Â·  Source: go-acme/lego

So, in the lego docs when setting up for ssl certificate you would normally use either of the following commands to do so...

[email protected] \
CLOUDFLARE_API_KEY=b9841238feb177a84330febba8a83208921177bffe733 \
lego --dns cloudflare --domains my.domain.com --email [email protected] run

or

CLOUDFLARE_DNS_API_TOKEN=1234567890abcdefghijklmnopqrstuvwxyz \
lego --dns cloudflare --domains my.domain.com --email [email protected] run

I was wondering how I would go about doing this for multiple domains beit wildcard or subdomains etc.?
www.domain.com domain.com *.domain.com

In the past I've just added multiple domains for single domain as so
--domains domain.com --domains www.domain.com

Which seems to work at first, but I then only receive a certificate on my webserver for “domain.com” and not “www.domain.com” as well.

I think this may be due to the format of Cloudflare as they only host domain names as so "domain.com". Then you have to add DNS records for the www. or subdomains.

When I have used lego in the past without Cloudflare setup I had to get both the "www.domain.com" "domain.com" etc. certificates on the webserver and use the tls challenge rather than dns challenge. I can’t use the tls challenge when using a cdn. Now when I use lego it only provides the "domain.com" certificate even though I ask for both "www.domain.com" and "domain.com" certificates.

Then when I go to check the certificates json file it says the certificate is only valid for ""domain.com"," and nothing else. In the past when I've modified this file without having a certificate and key for "www.domain.com" then I try to visit the website I’d get a redflag saying, "wait the ssl certificate for the domain doesn't match the key" or something along those lines. Now when I modify this then check out the website after doing so in the same manner, nothing happens. This leaves me to believe that only “domain.com” is truly secure from Cloudflare to the origin server vs. “www.domain.com” which only has a secure connection via Cloudflare, but not on the origin server.

How do I fix this issue because it seems like the certificates are being requested for both, but I am only receiving one vs the two that I had requested?

I will try to include a screenshot of the cli.
lego output-gh

arednsprovider question
Source
picture TensorFlown

All 5 comments

Hello,

could you provide the lego versions?

When you launch lego with several domains, you get only one certificate file (that not depend on the challenge type) for all domains (SANs).

ldez picture ldez on 4 Sep 2020

Idez,

Sorry for the late reply my hosting provider was having down time issues last night. My version number of lego is 3.8.0.

You are right about only receiving one certificate file. The one certificate usually works for the domains that you have provided i.e. "domain.com", "my.domain.com", "your.domain.com" etc. . It also lists these domain in the .json file. Sorry for the confusing wording in my original post.

My question was mainly about whether or not both "www.domain.com" and "domain.com" ssl connections were secured by the server side certificate I received after the attempt in the screenshot. The reason I am asking is because I'm using a Bitnami Stack and in their docs and forum they usually state that we have to list each version of our domain we would like to use with their "bncert tool", which is like an offbrand version of certbot. Or alternatively with lego: 

sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" run

After doing so I usually check the .json file that I receive and can view the domain entries that I entered to receive a certificate for. In the past I would see the following:

{
    "domain": "domain.com", "my.domain.com"
    "certUrl": "https://acme-

I guess my main question again really is if I'm okay for all ssl connections for both "domain.com" and "www.domain.com" if only see this in the .json file:

{
    "domain": "domain.com", 
    "certUrl": "https://acme-

in the past I've used subdomains and both "domain.com" would appear as well as the subdomain "my.domain.com" as written in the first quote. Right now, I can't remember whether or not both "domain.com" and _"www.domain.com"_ as well as the subdomain were written in the .json file, now that I think of it, but I do remember seeing something that mimicked the first quote, but no the second.

Again my main concern is am I good on all ssl connections coming to the site for both www. and non www. entries given the steps that I have taken in the screenshot above?

I just used the cat command on the certificate I received and I'm seeing two keys. Does this mean I should be good for both "domain.com" and "www.domain.com"?

TensorFlown picture TensorFlown on 5 Sep 2020

What's the lego version related to "In the past"?

domain is a string since a very very long time, so it's not an array and it contain only one domain (the commonName of the certificate)

A screenshot is not the easiest way to check if a command is valid or not, it's better to provide the information as text instead of image.

So what I can do to help you is to show you an example to create a certificate for example.com and www.example.com with Cloudflare.
If the command exit without any errors, the certificate will be valid and you will be able to use it for example.com and www.example.com.

[email protected] \
CLOUDFLARE_API_KEY=xxx \
lego --dns cloudflare --domains example.com --domains www.example.com --email [email protected] run

or

CLOUDFLARE_DNS_API_TOKEN=xxx \
lego --dns cloudflare --domains example.com --domains www.example.com --email [email protected] run
ldez picture ldez on 5 Sep 2020
👍1

To check the content of the generated elements, you can use the list command: lego list.

https://go-acme.github.io/lego/usage/cli/#usage

ldez picture ldez on 5 Sep 2020
👍1

Thanks for the help Idez!

After looking back at other servers I've used with lego/letsencrypt in the past. I've found that there is usually one certificate output that covers the list of domains provided. There was no error with the command that I provided in the screenshot. There was however some confusion on my end which lead me to ask a question in the first place as I hadn't performed an ssl renewal for a while and in the past using tls with a different method rather than dns challenge.

As far as I know, I think everything should be fine. I received no errors, as I followed the instructions in the docs for creating an api token and writing the code in the quoted way you provided, as well as stated in the docs. I also checked for content such as accounts and certificate via ftp as well as cli and it all looks good.

I will try to use the lego cli commands in the future with the link you provided.

TensorFlown picture TensorFlown on 6 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jlxq0 picture jlxq0  Â·  5Comments
lenovouser picture lenovouser  Â·  5Comments
bouwerp picture bouwerp  Â·  3Comments
athanp picture athanp  Â·  3Comments
kop picture kop  Â·  5Comments