Level 8
Are they 2 completely different domain or sub domains of the same domain. If so I think forge has wildcard support can that be used here?
Oct 18, 2021
10
Level 1
adding a second LetsEncrypt Cert on Forge and getting a 403 error
Is it possible to have multiple LetsEncrypt certs for different domains on the same site? When I try to setup the second one i get an error. The solutions mentions:
- The domains specified for the certificate may not have a correct DNS configuration. Please review your DNS configuration and ensure all domains specified for the certificate contain a DNS "A" record that points to your server's public IP address. Updated DNS records may take several hours to propagate across the Internet.
1. is not an issue
- LetsEncrypt got an invalid response from "http:///.well-known/acme-challenge/". If your Nginx configuration has been customized, please ensure the LetsEncrypt challenge directory is still publicly accessible. The challenge "location" directory "/etc/nginx/forge-conf/<SITE_NAME>/server/letsencrypt-challenge.conf" must be included in your site's main ("/etc/nginx/sites-available/<SITE_NAME>") Nginx configuration file. Please click on the link below, and make sure that all of the "DO NOT REMOVE" sections are present in your site's configuration file: https://forge.laravel.com/docs/1.0/sites/the-basics.html#default-nginx-template
**2 makes me think I need to change the nginx file -- but what should I add? **
note: I replaced the IP with XX below
HEAD is now at 91cccc0 ensure newline before new section in openssl.cnf
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "Invalid response from http://icollect.group/.well-known/acme-challenge/fROs3oPKuBA42bLR__TMcedPxsUe-bTlirVkigahN34 [XX.XXX.XXX.XXX]: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003enginx/1.20.1\u003c/ce\""
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http://icollect.group/.well-known/acme-challenge/fROs3oPKuBA42bLR__TMcedPxsUe-bTlirVkigahN34 [XX.XXX.XXX.XXX]: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003enginx/1.20.1\u003c/ce\"","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/41232132430/_dQr3A"
["token"] "fROs3oPKuBA42bLR__TMcedPxsUe-bTlirVkigahN34"
["validationRecord",0,"url"] "http://icollect.group/.well-known/acme-challenge/fROs3oPKuBA42bLR__TMcedPxsUe-bTlirVkigahN34"
["validationRecord",0,"hostname"] "icollect.group"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "XX.XXX.XXX.XXX"
["validationRecord",0,"addressesResolved"] ["XX.XXX.XXX.XXX"]
["validationRecord",0,"addressUsed"] "XX.XXX.XXX.XXX"
["validationRecord",0] {"url":"http://icollect.group/.well-known/acme-challenge/fROs3oPKuBA42bLR__TMcedPxsUe-bTlirVkigahN34","hostname":"icollect.group","port":"80","addressesResolved":["XX.XXX.XXX.XXX"],"addressUsed":"XX.XXX.XXX.XXX"}
["validationRecord"] [{"url":"http://icollect.group/.well-known/acme-challenge/fROs3oPKuBA42bLR__TMcedPxsUe-bTlirVkigahN34","hostname":"icollect.group","port":"80","addressesResolved":["XX.XXX.XXX.XXX"],"addressUsed":"XX.XXX.XXX.XXX"}]
["validated"] "2021-10-19T01:57:14Z")
Level 1
@squibby It's 2 different domains. I have a site that works fine https://masterpiecedigital.io however we also want to overlay https://icollect.group on top of the same site / IP.
The A record on both domains points to the same IP (and there are no AAAA records).
For the original working domain I just used the Forge UI to create the LetsEncrypt cert and NGINX. However, when I try to create the second domains cert -- i get the error.
as a test i've also tried : 1 adding the second domain to the server_name in the NGINX "server_name masterpiecedigital.io icollect.group;" 2 adding an additional server {} section for the second domain but no luck.
there isn't much written on the dynamic between NGINX and LetsEncrypt and multiple domains on Laravel Forge so I'm trying to get as much as I can from articles such as this: https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/ and Stack Overflow but i've been reluctant in making bigger changes to the NGINX file or recreating the original cert as I am new to NGINX.
Level 1
I'm thinking it has something to do with this in the current NGINX file but I really have not figured out NGINX well enough to know that for sure...
location ~ /\.(?!well-known).* {
deny all;
}
Level 8
why not just setup a redirect / cname from one domain to the main site? That way you should only need to setup one cert and the other will get redirected... will that do it?
Level 1
@squibby If I create the redirect would I need to delete the current active cert and recreate a new one with the additional domains:
masterpiecedigital.io,www.masterpiecedigital.io,icollect.group,www.icollect.group
and would the Forge UI update the NGINX ?
Level 8
@scottsuhy I was thinking more at dns level create a redirect and just have one cert setup in forge for the domain you are redirecting to.
Level 1
@squibby If you do just the redirect you get https errors. "This site does not have a certificate. Because this connection is not secure, information (such as passwords or credit cards) will not be securely sent to this site and may be intercepted or seen by others." if you go to https://icollect.group you will see the error as I just put in the forward .
Level 1
I have done it on multiple domains on the same Apache2 / Ubuntu server. When you request the certificate make sure to mention the domain with -d command and like
sudo certbot -d domain.com -d www.domain.com
Then repeat sudo certbot -d domain1.com -d www.domain1.com
If you do sudo certbot --apache you will be given multiple options to select the domain you are looking to secure.
Level 1
I also get the same error on my website https://teckcloudz.com but after some time its working fine.
Level 1
OK, it was the fact that I didn't have the new domain listed as an 'alias' on the Site's Meta tab (domain section).
Please or to participate in this conversation.