Thank you.
one problem I still have apparently.
I prefer using URLs with out the leading “www”. Therefore my site works fine with out.
But to be accessible for others with www as well, I created an A-Record with www.myancestry.de.
Unfortunately the wrong Let’s encrypt certificate is provided by dargels.de.
What could be the cause?
Does the server actually create wildcard certificates or is only the root domain secured?
best regards, Marko
Hi Marko,
I do not remember † when and why, but I always add 2 alias under Configuration → DNS → Alias: mail.FQDN and www.FQDN.
Michel-André
† Memory is a faculty that forgets…
ahahhhh!
I see. I thought here are only root domains possible.
Thank you
Hi Marko,
The certificate will be issue to the first domain name, all the other domains are considered Alternate name of the main one.
Michel-André
Unfortunately the certificates cannot be changed or deleted.
best regards, MArko
Just request a new one.
You can delete it via CLI.
I’m sorry. I cannot interpret your hint. What should I do now to get the right certificates? for each domain and subdomain?
Could you please explain again?
without revocation ?
Hi Marko,
SAN and Wildcard
Reference: https://www.thawte.fr/ssl/san-uc-ssl-certificates/#.
Reference: https://www.thawte.fr/ssl/wildcard-ssl-certificates/.
What do the terms SAN (Subject Alternative Names) and UC (Unified Communications) mean?
Certificates that use SAN (Subject Alternative Names) are powerful tools that allow you to secure multiple domain names efficiently and economically. Thawte SSL certificates can secure up to 25 fully qualified domain names with a single certificate using SANs. The names of certificates that use SANs are also known as Unified Communications (UC) certificates and are used with Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Communications Server. The purpose of a certificate with SAN is the same as any other certificate; it allows a server to define its identity and establish secure communication. Certificates with SAN also provide a SAN (Subject Alternative Name) field that allows additional domain names to be protected with a single certificate.
Why do I need a SAN?
Instead of purchasing individual certificates for each domain name, you can add domain names in SAN fields to share the same certificate. Not only does the company save the cost of purchasing individual certificates, it also saves time by eliminating the need to manage multiple certificates.
For example, a single certificate with SAN support would be able to secure the following domain names:
www.macompagnie.com
mail.macompagnie.com
macompagnie.com
SAN certificate vs Wildcard certificate
Wildcard certificates are similar to SAN certificates with a few restrictions. With a Wildcard certificate, you can secure multiple subdomains with a single root domain. For example, if you have a Wildcard certificate for www.macompagnie.com, it also secures intranet.macompagnie.com and email.macompagnie.com with the same certificate.
However, you will not be able to secure multiple unique domains like www.macompagnie.net and www.toto.org.
Wildcard SSL Certificates
Securing multiple subdomains on a single server.
Thawte Wildcard SSL Certificates secure multiple subdomains with a single SSL certificate, reducing management time and cost. Using wildcard notation (an asterisk and a period before your domain name) allows you to extend security to different subdomains, based on your top-level domain name.
For example, a single certificate with SAN support would be able to secure the following domain names:
www.macompagnie.com ### this is the first domain in the list and the certificate will be issue to this one. The other domains in the list are considered Alternate Names of this domain.
mail.macompagnie.com
macompagnie.com
www.toto.net
mail.toto.net
toto.net
Michel-André
Never revoke a cert.
OK, there’s one (and only one) case where revoking is appropriate–if the private key has been compromised. If you don’t have reason to believe the private key has been compromised, see the rule above.
I did …
echo ‘{“props”:{“KeyFile”:“/etc/letsencrypt/live/dargels.de-0001/privkey.pem”,“CrtFile”:“/etc/letsencrypt/live/dargels.de-0001/cert.pem”,“ChainFile”:“/etc/letsencrypt/live/dargels.de-0001/chain.pem”},“action”:“set-default”}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-certificate/update | jq
`
Fehler
The virtual host has not been updated
Der folgende Befehl ist gescheitert:
nethserver-httpd/virtualhost/updateLeider konnten wir den exakten Fehler nicht finden. Wenn Sie helfen wollen, clicken Sie bitte auf den Button unten, um den fehlerhaften Befehl zu kopieren und im Terminal einzufügen, damit Sie den Befehl an die Entwickler weiterleiten können.
Before that I deleted the directory /etc/letsencrypt/live/
The whole dir?
Please recreate it.
Please just do that to get more error details and check /var/log/messages for errors.
no, only the sub dirs. I repeated it:
new error:
echo ‘{“props”:{“LetsEncryptMail":"marko.dargel@gmail.com”,“LetsEncryptDomains”:“dargels.de,mail.dargels.de,imap.dargels.de,smtp.dargels.de,www.dargels.de,wp.dargels.de,myancestry.de,mail.dargels.de,imap.myancestry.de,smtp.myancestry.de,www.myancestry.de”,“LetsEncryptRenewDays”:“30”},“action”:“lets-encrypt”}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-certificate/update | jq
but new sub dir is created:
If I try to set as standard cert…
…new error
echo ‘{“props”:{“KeyFile”:“/etc/letsencrypt/live/dargels.de-0002/privkey.pem”,“CrtFile”:“/etc/letsencrypt/live/dargels.de-0002/cert.pem”,“ChainFile”:“/etc/letsencrypt/live/dargels.de-0002/chain.pem”},“action”:“set-default”}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-certificate/update | jq
If I check it in the browser (https://myancestry.de)
If I want to check https.//www.myancestry.de
So it seems to work now?
It seems a browser cache problem, please refresh site.
When I browse to www.myancestry.de it has correct cert.
And the right site is loading? Not the Nethserver server manager?
I cleared the cache of all browsers (Firefox, Safari, Chrome) an I get always the Nethserver server manger.
Me too 
@capote you received a lot of advice here thanks to our dream team @michelandre @stephdl @mrmarkuz how are you plan to give back to these gentlemans?
