LetsEncrypt Problem / Advice

Having issues with your DietPi installation, or, found a bug? Post it here.
Post Reply
cpcnw
Posts: 17
Joined: Wed Jun 29, 2016 8:31 am

LetsEncrypt Problem / Advice

Post by cpcnw »

Hi All,

I have installed lighty / certbot and ran it on mydomain.com but afterwards realised I would like to have www.mydomain.com also.

[https://www.mydomain.com auto redirects to https://mydomain.com]

I have read that the --expand option let's you add domains to an existing cert but I can't seem to locate 'certbot-auto' or 'letsencrypt-auto'

If I re-run dietpi-letsencrypt will it just create a new cert in addition to the existing one?

Also, would two certs be update by the cron job?

Thanks!
User avatar
MichaIng
Site Admin
Posts: 2294
Joined: Sat Nov 18, 2017 6:21 pm

Re: LetsEncrypt Problem / Advice

Post by MichaIng »

Use certbot --expand instead.

certbot-auto is only valid, if you installed the certbot binaries from source, while DietPi-Software installs it from APT repo.

dietpi-letsencrypt will only renew existing certs, if you rerun it.
cpcnw
Posts: 17
Joined: Wed Jun 29, 2016 8:31 am

Re: LetsEncrypt Problem / Advice

Post by cpcnw »

Thanks for quick response - will give that a shot now!

Lastly will auto updates still work out ok?
User avatar
MichaIng
Site Admin
Posts: 2294
Joined: Sat Nov 18, 2017 6:21 pm

Re: LetsEncrypt Problem / Advice

Post by MichaIng »

Jep, certbot will safe the settings and auto certificate renewal will then apply to the new domain list.
cpcnw
Posts: 17
Joined: Wed Jun 29, 2016 8:31 am

Re: LetsEncrypt Problem / Advice

Post by cpcnw »

OK Thanks!

I ran

Code: Select all

certbot --expand certonly --standalone -d mydomain.com -d www.mydomain.com --dry-run 
everything seemed ok [had to halt lighty to do this] I then removed dry run and it looked like process completed with no errors. I can see additional fingerprint in keystores below the original and then I rebooted pi

However... https://www.mydomain.com gets auto directed to https://mydomain.com in Chrome and in IE I get a cert error. When reading the cert in IE it shows only mydomain.com referenced in the cert? When I try https://mydomain.com in IE it works fine.

Edit: Just noticed combined.pem doesnt look right - timestamp is from earlier on.... then read the README - fullchain.pem does contain two cert fingerprints

Edit2: think I am barking up the wrong tree here;

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: mydomain.com
Domains: mydomain.com www.mydomain.com
Expiry Date: 2019-03-11 21:19:30+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mydomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mydomain.com/privkey.pem
-------------------------------------------------------------------------------

So new cert does include www version - is there some 'caching' at Let's Enctrypt?

Edit3: now think this is more to do with lighty - with http://www.mydomain.com or http://mydomain.com either will work.

$HTTP["host"] =~ "(^|\.)mydomain\.com$" {
server.document-root = "/var/www"
}

Feeling the above is interpreted differently when using https ?
cpcnw
Posts: 17
Joined: Wed Jun 29, 2016 8:31 am

Re: LetsEncrypt Problem / Advice

Post by cpcnw »

I now suspect it's more down to my lack of understanding of how https / ssl / certs work together...

Also, reading through most of the posts on serverfault it seems way more people want to redirect the www version to the non-www version so I am assuming there is a desirable / technical reason for that I am failing to understand?

Maybe I should just be happy with the way things work now as it's not a big difference anyway - and I have seen both version being used in many different places.

I am leaving some links here for further reading / reference;

https://redmine.lighttpd.net/projects/1 ... odredirect
https://stackoverflow.com/questions/339 ... -https-www
https://serverfault.com/questions/29361 ... serve-path
https://serverfault.com/questions/25837 ... with-nginx
https://serverfault.com/questions/35861 ... to-non-www
Post Reply