Generating wildcard SSL on Ubuntu Nginx box and replacing expired SSL (cer & key)

0
votes

I am attempting to generate a wildcard Let's Encrypt SSL certificate using Certbot on my Nginx Ubuntu AWS EC2 instance.

Ubuntu: 16.04.5 LTS

Nginx: v1.10.3

I am unable to generate a wildcard SSL at the moment as I receive the error:

An unexpected error occured:

Error creating new order : : DNS name does not have enough labels

I have looked through common reasons for this error and nothing in my request seems malformed:

cerbot -dry-run --nginx -d *.my-domain.org.uk

(I get the same error when just running the command for my-domain.org.uk and not just *.)

I believe that the error may stem from my Nginx configuration.

In '/etc/nginx/' I have 'sites-available' and 'sites-enabled', each of which have a 'default' file and a 'my-domain.org.uk' file.

In nginx.conf I am including:

access_log /var/log/nginx/access.log;

error_log /var/log/nginx/error.log;

Therefore, inside 'sites-enabled/default' I have a normal config with a 443 server:

server {
     listen 443 ssl; # managed by Certbot
     server_name *.my-domain.org.uk;
     root /www/html/public;
     ... etc.

This file also includes references to my now expired SSL:

ssl_certificate /etc/nginx/ssl/sitename/sitename.cer;

ssl_certificate_key /etc/nginx/ssl/sitename/sitename.key;

As well as some Certbot config bits:

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

If I comment out the reference to the expired SSL certs and restart Nginx, the site breaks. I could post more of the config file, but this has always worked as it is in the past (and does work now, just with a broken HTTPS). I'm not sure if

Not sure what I have to do to get past these Certbot errors and generate my wildcard SSL.

1
ubuntusslnginxlets-encryptcertbot
"I believe that the error may stem from my Nginx configuration." Unlikely. The error happened when submitting the order to Let's Encrypt, which happens before validation procedure at which step Nginx would step into account. Also this is not very programmign related, so offtopic here.Patrick Mevzek
Which version of cerbot is it? Make sure you sure ACMEv2 API, see LetsEncrypt configuration directory (or use --server option) and also look at its logfile for maybe more information on the error. Also you need DNS validation for wildcard certificates, so Nginx or any other webserver will not be taken into account. See community.letsencrypt.org/t/…Patrick Mevzek
I'm not actually sure how to check the certbot version, but I ran the installer again to double check. I understand that it is unlikely to be an Nginx configuration issue as the problem is before that; makes sense. But I can't tell at all what the 'DNS name does not have enough labels' error is or what is causing it.Twentyonehundred
certbot --version to know its version.Patrick Mevzek
So I didn't spot it but the answer was quite simple. -dry-run needing to be --dry-run. Without the double dashes it was picking it up as -d and attempting to interpret up a URL after that, resulting in the labels error.Twentyonehundred

1 Answers

0
votes

Answer was a simple syntax error in the end.

-dry-run needed to be to be --dry-run. Without the double dashes it was picking the start of -dry.. up as -d and attempting to interpret up a URL after that, resulting in the labels error.