Hi Marko,
The certificate will be issue to the first domain name, all the other domains are considered Alternate name of the main one.
Michel-André
Unfortunately the certificates cannot be changed or deleted.
Can this really be true? How do I solve this problem?
best regards, MArko
Just request a new one.
You can delete it via CLI.
1 Like
I’m sorry. I cannot interpret your hint. What should I do now to get the right certificates? for each domain and subdomain?
Could you please explain again?
without revocation ?
Hi Marko,
SAN and Wildcard
Reference: https://www.thawte.fr/ssl/san-uc-ssl-certificates/#.
Reference: https://www.thawte.fr/ssl/wildcard-ssl-certificates/.
What do the terms SAN (Subject Alternative Names) and UC (Unified Communications) mean?
Certificates that use SAN (Subject Alternative Names) are powerful tools that allow you to secure multiple domain names efficiently and economically. Thawte SSL certificates can secure up to 25 fully qualified domain names with a single certificate using SANs. The names of certificates that use SANs are also known as Unified Communications (UC) certificates and are used with Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Communications Server. The purpose of a certificate with SAN is the same as any other certificate; it allows a server to define its identity and establish secure communication. Certificates with SAN also provide a SAN (Subject Alternative Name) field that allows additional domain names to be protected with a single certificate.
Why do I need a SAN?
Instead of purchasing individual certificates for each domain name, you can add domain names in SAN fields to share the same certificate. Not only does the company save the cost of purchasing individual certificates, it also saves time by eliminating the need to manage multiple certificates.
For example, a single certificate with SAN support would be able to secure the following domain names:
www.macompagnie.com
mail.macompagnie.com
macompagnie.com
SAN certificate vs Wildcard certificate
Wildcard certificates are similar to SAN certificates with a few restrictions. With a Wildcard certificate, you can secure multiple subdomains with a single root domain. For example, if you have a Wildcard certificate for www.macompagnie.com, it also secures intranet.macompagnie.com and email.macompagnie.com with the same certificate.
However, you will not be able to secure multiple unique domains like www.macompagnie.net and www.toto.org.
Wildcard SSL Certificates
Securing multiple subdomains on a single server.
Thawte Wildcard SSL Certificates secure multiple subdomains with a single SSL certificate, reducing management time and cost. Using wildcard notation (an asterisk and a period before your domain name) allows you to extend security to different subdomains, based on your top-level domain name.
For example, a single certificate with SAN support would be able to secure the following domain names:
www.macompagnie.com ### this is the first domain in the list and the certificate will be issue to this one. The other domains in the list are considered Alternate Names of this domain.
mail.macompagnie.com
macompagnie.com
www.toto.net
mail.toto.net
toto.net
Michel-André
1 Like
Never revoke a cert.
OK, there’s one (and only one) case where revoking is appropriate–if the private key has been compromised. If you don’t have reason to believe the private key has been compromised, see the rule above.
2 Likes
I did …
…and I doesn’t work
echo ‘{“props”:{“KeyFile”:“/etc/letsencrypt/live/dargels.de-0001/privkey.pem”,“CrtFile”:“/etc/letsencrypt/live/dargels.de-0001/cert.pem”,“ChainFile”:“/etc/letsencrypt/live/dargels.de-0001/chain.pem”},“action”:“set-default”}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-certificate/update | jq
`
Fehler
The virtual host has not been updated
Der folgende Befehl ist gescheitert:
nethserver-httpd/virtualhost/updateLeider konnten wir den exakten Fehler nicht finden. Wenn Sie helfen wollen, clicken Sie bitte auf den Button unten, um den fehlerhaften Befehl zu kopieren und im Terminal einzufügen, damit Sie den Befehl an die Entwickler weiterleiten können.
Before that I deleted the directory /etc/letsencrypt/live/
The whole dir?
Please recreate it.
Please just do that to get more error details and check /var/log/messages for errors.
no, only the sub dirs. I repeated it:
new error:
echo ‘{“props”:{“LetsEncryptMail":"marko.dargel@gmail.com”,“LetsEncryptDomains”:“dargels.de,mail.dargels.de,imap.dargels.de,smtp.dargels.de,www.dargels.de,wp.dargels.de,myancestry.de,mail.dargels.de,imap.myancestry.de,smtp.myancestry.de,www.myancestry.de”,“LetsEncryptRenewDays”:“30”},“action”:“lets-encrypt”}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-certificate/update | jq
but new sub dir is created:
If I try to set as standard cert…
…new error
echo ‘{“props”:{“KeyFile”:“/etc/letsencrypt/live/dargels.de-0002/privkey.pem”,“CrtFile”:“/etc/letsencrypt/live/dargels.de-0002/cert.pem”,“ChainFile”:“/etc/letsencrypt/live/dargels.de-0002/chain.pem”},“action”:“set-default”}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-certificate/update | jq
If I check it in the browser (https://myancestry.de)
If I want to check https.//www.myancestry.de
So it seems to work now?
It seems a browser cache problem, please refresh site.
When I browse to www.myancestry.de it has correct cert.
And the right site is loading? Not the Nethserver server manager?
I cleared the cache of all browsers (Firefox, Safari, Chrome) an I get always the Nethserver server manger.
Me too 
@capote you received a lot of advice here thanks to our dream team @michelandre @stephdl @mrmarkuz how are you plan to give back to these gentlemans?
2 Likes
for @stephdl I found a possibility to donate some days ago.
For the other gents not. What do you recommend?
2 Likes
that’s the solution. Sometimes I want to hit my head against the wall.
1 Like
Checking our community and helping people with topics that you know
or
2 Likes
Hi Marko,
Since two weeks I had problem with Let’s Encrypt.
The user root receiving a mail telling that the cetificate had expired but if I check the certificate accessing my site, the certificate was a valid one.
I had the same kind of directory as you have: FQDN, FQDN-0001, and FQDN-0002.
After trying a few things, I resolved the problem by deleting the content of directory:
/etc/letsencrypt/archive/
and deleting the directories:
/etc/letsencrypt/live/FQDN-0001
/etc/letsencrypt/live/FQDN-0002
but keeping the original directory:
/etc/letsencrypt/live/FQDN
Then, before asking a new cetificate, I deleted one domain in the list to force a new certificate.
I asked a new certificate in Cockpit.
All went OK.
I put back the previously deleted domain in the list to force a new certificate and asked an new certificate in Cockpit.
All went OK.
I logout of Cockpit.
I cleaned the cache of the navigator.
On the station, opened a cammand window,
ifconfig /flushdns
I refreshed the Cockpit URL page, checked the certificate and all was OK.
No new directory in Let’s Encrypt, only the original one i.e. FQDN.
Michel-André
2 Likes