Koozali.org: home of the SME Server

Let's Encrypt on sub-domain only - possible?

Offline stabilys

  • *
  • 76
  • +0/-0
  • Ah din't do it!!
    • Stabilys Ltd
Let's Encrypt on sub-domain only - possible?
« on: January 28, 2020, 05:31:30 PM »
I have a question about setting up Let’s Encrypt *just* on a sub-domain, ie on mail.xxx.xxx 

I know everyone is busy with the updates to Let’s Encrypt, and don’t know if any changes in the script will affect this question. I suspect the issues I raise may be relevant to others: my expertise in this area is sadly lacking, so I am asking here. I have two systems with similar set-ups, I expect others do similar things too. I have substituted “example” for the actual domain name below. Question is at end under “Summary”, necessary background info follows..

Background

1. There’s an SME-Server v9 in server-only mode doing file- and mail-server duties, with a large iSCSI-mounted filesystem from a storage server
2. It is behind an OPNSense firewall which does multi-wan, IP-Sec VPN duties, and other tasks that can’t readily be done by the SME-Server
3. Email is further filtered and forwarded by a Barracuda email filter (the SME-Server spam filter was unable to handle the sheer weight of spam, due to the three-letter domain name having previously been owned by a spammer, unbeknownst to the client when they bought it)
4. Users, especially i-Device users, are now having lots of issues with self-signed certificates from the SME-Server as Apple have really tightened up permissions on this (Android too)
5. So the plan is to add a non-self-signed SSL certificate, and the first choice is Let’s Encrypt.

But, I don’t know if it will work using the dehydrated script. I think it will but I am asking for advice.

DNS Configuration
- The client’s web site is served by a third-party site developer on Digital Ocean
- The web site has a Let’s Encrypt SSL certificate for that root domain only (not for www. even), see report:

example.co.uk resolves to nnn.128.47.228
Server Type: nginx/1.10.3
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
The certificate was issued by Let's Encrypt.    
The certificate will expire in 48 days.   
None of the common names in the certificate match the name that was entered (example.co.uk). You may receive an error when accessing this site in a web browser. It looks like you just need to add the "www." when accessing the site with SSL.


- the mail. A record is pointed at the SME-Server’s external address which is in a DSL domain
- there’s port forwards for the mail and web ports but only mail is served to external users @ home or on mobiles
- the server has two mail. A records as there are two WAN addresses, one primary and one fail-over
- reverse records etc all set up and working for years
- fail2ban is in use on the server additionally to the Barracuda filter
- it’s using a self signed cert, see report:
   
mail.example.co.uk resolves to nnn.32.218.9
 Server Type: Apache
 The certificate will expire in 18 days.   
 The certificate is self-signed. Users will receive a warning when accessing this site unless the certificate is manually added as a trusted certificate to their web browser. You can fix this error by buying a trusted SSL certificate
 None of the common names in the certificate match the name that was entered (mail.example.co.uk). You may receive an error when accessing this site in a web browser.


The server is set up as follows

server name          serv1

Domains are all resolved locally

Hostnames:
ftp.example.co.uk      Self   172.17.7.10           
mail.example.co.uk      Self   172.17.7.10           
proxy.example.co.uk      Self   172.17.7.10           
serv1.example.co.uk      Self   172.17.7.10               
server1.example.co.uk   Self   172.17.7.10               
wpad.example.co.uk      Self   172.17.7.10           
www.example.co.uk      Self    172.17.7.10



Summary

What I want to do is set up Let’s Encrypt for the mail.example.co.uk name on the SME-Server (and presumably for the server web interface and other services etc) while not touching (or breaking!) the top level example.co.uk which is pointed at another IP, not under our direct control, and already using Let’s Encrypt.

So to the question: if I set up Let’s Encrypt with the domain name mail.example.co.uk is this likely to work?

Sorry this is long, hope it is clear. Any advice or clues given much appreciated. I can set up and test – but if I’m barking up the wall and it just won’t work I would like to know in advance so I do something else that does have a chance of working :)
This, too, will pass ;)

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #1 on: January 28, 2020, 07:41:06 PM »
I think, in a word, yes.

Just make sure that whatever name/domain/host you want to use ONLY resolves to your SME.

Be that.

domain.com
host.domain.com

or whatever

Note you can set individual Hosts, or complete Domains. The choice is yours :-)

Also note, there is a hack I have used for years allowing subdomains so you can jigger apache a bit and that is fine.

eg I have two domains setup.

somedomain.com - enabled hosts mail/www and enabled domain

chat.somedomain.com - no hosts and JUST enabled domain

Currently we do not do separate certs for different domains by putting things on different lines - just one cert for all the enabled hosts & domains. My /etc/dehydrated/domains.txt looks like this:

somedomain.info chat.somedomain.info mail.somedomain.info www.somedomain.info

Just make sure the .well-know/acme-challenge dir can resolve eg

http://somedomain.com/.well-known/acme-challenge/

http://host.somedomain.com/.well-known/acme-challenge/

You should be good if your DNS records point the right way.

E&OE :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline stabilys

  • *
  • 76
  • +0/-0
  • Ah din't do it!!
    • Stabilys Ltd
Re: Let's Encrypt on sub-domain only - possible?
« Reply #2 on: January 28, 2020, 09:05:44 PM »
I think, in a word, yes.
...
E&OE :-)

Thanks for the reply ReetP - I know you are busy.

I'll have a play with testing then :)

MeJ


This, too, will pass ;)

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #3 on: January 29, 2020, 01:57:44 AM »
Thanks for the reply ReetP - I know you are busy.

We're ALL busy!! But yes I am at the minute.

Quote
I'll have a play with testing then :)

Cool. Let us know how you get along and ask if you get stuck.

We are on Rocket too if you want to chat/help......
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline stabilys

  • *
  • 76
  • +0/-0
  • Ah din't do it!!
    • Stabilys Ltd
Re: Let's Encrypt on sub-domain only - possible?
« Reply #4 on: February 15, 2020, 10:50:58 AM »
We're ALL busy!! But yes I am at the minute.

Cool. Let us know how you get along and ask if you get stuck.

We are on Rocket too if you want to chat/help......

Hi all

so far it didn't work. I've skimmed https://forums.contribs.org/index.php/topic,53147.0.html and also done all the checks listed in the fault finding section without success so far.

I have an idea what it is but may be completely off-track. Bekow are the sanitised error from dehydrated and ditto http_error.

I suspect the problem is the server CommonName is not the DNS name of the domain it's trying to verify.

Am I on the right track?

Thanks for any suggestions or kicks.

MeJ

dehydrated

[root@serv1 dehydrated]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Fetching missing account information from CA...
Processing mail.TLD.co.uk with alternative names: serv1.TLD.co.uk
 + Creating new directory /etc/dehydrated/certs/mail.TLD.co.uk ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
  + ERROR: An error occurred while sending get-request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/38626606 (Status 405)

Details:
HTTP/1.1 405 Method Not Allowed
Server: nginx
Date: Wed, 12 Feb 2020 20:01:46 GMT
Content-Type: application/problem+json
Content-Length: 103
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405
}

[root@serv1 dehydrated]#

http_error

[Wed Feb 12 19:55:19 2020] [notice] caught SIGTERM, shutting down
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 12 19:55:19 2020] [notice] Digest: generating secret for digest authentication ...
[Wed Feb 12 19:55:19 2020] [notice] Digest: done
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 12 19:55:19 2020] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Wed Feb 12 19:58:43 2020] [error] [client 89.248.174.146] File does not exist: /home/e-smith/files/ibays/Primary/html/editBlackAndWhiteList
[Wed Feb 12 20:01:24 2020] [notice] caught SIGTERM, shutting down
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 12 20:01:24 2020] [notice] Digest: generating secret for digest authentication ...
[Wed Feb 12 20:01:24 2020] [notice] Digest: done
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 12 20:01:24 2020] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
This, too, will pass ;)

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #5 on: February 15, 2020, 11:08:19 AM »
This is your issue.

Code: [Select]
ERROR: An error occurred while sending get-request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/38626606 (Status 405)
Nothing will work until the dehydrated script completes without errors. It needs to complete and run a 'deploy' section.

So first fix that.

Which versions of smeserver-letsencrypt & dehydrated are you running?

You might need the dehydrated version in test which is 0.6.5

Also

cat /etc/dehydrated/config

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Sparkey

  • *
  • 24
  • +0/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #6 on: March 13, 2020, 05:37:21 PM »
I setup letsencrypt to none and then added the host srv02.diamondbusinessgraphics.com as the only host to issue a cert for.  However it still did a check for the base domain, as you can see below, and failed because it is at another hosting site:
----------------------------
[root@srv02 ~]# dehydrated -c -x
# INFO: Using main config file /etc/dehydrated/config
Fetching missing account information from CA...
Processing diamondbusinessgraphics.com with alternative names: srv02.diamondbusinessgraphics.com
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for srv02.diamondbusinessgraphics.com
 + Handling authorization for diamondbusinessgraphics.com
 + 2 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for srv02.diamondbusinessgraphics.com authorization...
 + Challenge is valid!
 + Responding to challenge for diamondbusinessgraphics.com authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from http://diamondbusinessgraphics.com/.well-known/acme-challenge/5dQYUuYSKp7TJKMbDjR8mtPeY88ySNE8HTw-yPy7wys [208.70.76.26]: \"\u003c!DOCTYPE html PUBLIC \\\"-//W3C//DTD XHTML 1.0 Strict//EN\\\" \\\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\\\"\u003e\\r\\n\u003chtml xmlns=\\\"http\"",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3338024576/LAnx-g",
  "token": "5dQYUuYSKp7TJKMbDjR8mtPeY88ySNE8HTw-yPy7wys",
  "validationRecord": [
    {
      "url": "http://diamondbusinessgraphics.com/.well-known/acme-challenge/5dQYUuYSKp7TJKMbDjR8mtPeY88ySNE8HTw-yPy7wys",
      "hostname": "diamondbusinessgraphics.com",
      "port": "80",
      "addressesResolved": [
        "208.70.76.26"
      ],
      "addressUsed": "208.70.76.26"
    }
  ]
})

-----------------------

So I ran nano /etc/dehydrated/domains.txt and removed diamondbusinessgraphics.com from the list and saved it so only the sub domain was listed.

I then ran 
# dehydrated -c -x

As you will see below, everything worked, the cert is setup and working properly.

# INFO: Using main config file /etc/dehydrated/config
Fetching missing account information from CA...
Processing srv02.diamondbusinessgraphics.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun 11 14:12:46 2020 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for srv02.diamondbusinessgraphics.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for srv02.diamondbusinessgraphics.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!

So YES, you can set it up to only issue a certificate for a sub domain.

PS: This may not be the proper way to do this, but it works.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #7 on: March 13, 2020, 06:37:13 PM »
Not sure why it added that. I'll have to check.

Your problem is the file is templated and it will get overwritten on the next update/reboot etc.

Really need to tell us versions are you using?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Sparkey

  • *
  • 24
  • +0/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #8 on: March 13, 2020, 07:44:59 PM »
Oops, my bad on the details.

SME Server 9.2.2

just installed letsencrypt / dehydrated package today ( 3/13/2020 )

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #9 on: March 13, 2020, 10:11:21 PM »
just installed letsencrypt / dehydrated package today ( 3/13/2020 )

Which versions.... that is important.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Sparkey

  • *
  • 24
  • +0/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #10 on: March 13, 2020, 10:43:39 PM »
smeserver-letsencrypt.noarch                0.5-9
Installed Packages
Name        : smeserver-letsencrypt
Arch        : noarch
Version     : 0.5
Release     : 9
Size        : 30 k
Repo        : installed
From repo   : smecontribs
Summary     : Plugin to enable letsencrypt certificates
URL         : https://letsencrypt.org/
License     : GNU GPL version 2
Description : Lets Encrypt is a free, automated, and open certificate
            : authority https://letsencrypt.org/

dehydrated.noarch                0.6.2-14.el6.sme
Installed Packages
Name        : dehydrated
Arch        : noarch
Version     : 0.6.2
Release     : 14.el6.sme
Size        : 84 k
Repo        : installed
From repo   : smecontribs
Summary     : ACME client in bash
URL         : https://github.com/lukas2511/dehydrated
License     : MIT
Description : This is a client for signing certificates with an ACME server
            : (currently only provided by Let's Encrypt) implemented as a
            : relatively simple bash-script.
« Last Edit: March 13, 2020, 10:45:53 PM by Sparkey »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #11 on: March 13, 2020, 11:15:54 PM »
Ta. We're looking at it thanks.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Sparkey

  • *
  • 24
  • +0/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #12 on: April 28, 2020, 08:58:07 PM »
For anyone else that runs into the issue I ran into, as an alternative to having to manually update the domains.txt file in /etc/dehydrated, I created a file named domains-update.txt in the same /etc/dehydrated folder that just contains my subdomain. 

Since cron.daily runs letsencrypt at 3:14am, I used crontab manager and added a cron tab entry that copies the contents of my domains-update.txt into the file domains.txt daily at 2:00am.

This allows letsencrypt to run the renewal status after I install updates, without failing.




Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #13 on: April 28, 2020, 09:49:21 PM »
For anyone else that runs into the issue I ran into, as an alternative to having to manually update the domains.txt file in /etc/dehydrated, I created a file named domains-update.txt in the same /etc/dehydrated folder that just contains my subdomain. 

Since cron.daily runs letsencrypt at 3:14am, I used crontab manager and added a cron tab entry that copies the contents of my domains-update.txt into the file domains.txt daily at 2:00am.

This allows letsencrypt to run the renewal status after I install updates, without failing.

A solution that gets done what you want to get done, job done, this is text of a discussion we had in Rocket re your issue may also help, or not :-)

If you follow the wiki its a simple trap, you do a db setprop on a host name, in this case the main host name, finish the config, reboot/reconfig/expand temp, and then decide to do a secondary host name, and do a db setprop enabled, BUT DONT disable the first one you did, you end up with domain.txt with two host names, when you disable the host name you dont want then expand template etc domain.txt has ONE entry

no not a bug you need to do a
# db hosts setprop "$HOSTNAME" letsencryptSSLcert disabled  on the unwanted host name
can easily see that you have two with a

# db hosts show

should also check the

# db domains show

if you have a domain enabled there it will also cause two entries in domain.txt
eg

[root@sme92x64test ~]# db domains show
sme92test.org=domain
Content=Primary
Description=Primary domain
Nameservers=localhost
Removable=no
SystemPrimaryDomain=yes
letsencryptSSLcert=disabled

if that was enabled it would appear in domain.txt along with whatever host name was enabled
calling it a night, tomorrow it is

Ahhh so they set enabled, and then forget to set disabled OR delete the key.

May help...

however, if you set one host and then change that later domains.txt has two entries..
[root@sme92x64test ~]# db hosts show
mail.sme92test.fage.org=host
ExternalIP=
HostType=Self
InternalIP=
MACAddress=
letsencryptSSLcert=enabled
proxy.sme92test.org=host
ExternalIP=
HostType=Self
InternalIP=
MACAddress=
www.sme92test.org=host
ExternalIP=
HostType=Self
InternalIP=
MACAddress=
letsencryptSSLcert=enabled

the domain is not being disabled see above..
so need to issue a disabled to set property

[root@sme92x64test ~]# db hosts setprop www.sme92test.org letsencryptSSLcert disabled
leaving
[root@sme92x64test ~]# db hosts setprop mail.sme92test.org letsencryptSSLcert enabled

at which time the /etc/dehydrated/domains.txt has one host name
« Last Edit: April 28, 2020, 09:53:31 PM by TerryF »
--
qui scribit bis legit

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Let's Encrypt on sub-domain only - possible?
« Reply #14 on: April 28, 2020, 10:53:37 PM »
Absolutely.

Make sure you check everything.

It should just work if you have done it correctly.

If you have really checked and are positive there is an issue open a bug.

But first
Code: [Select]
db domains show | grep letsencryptSSLcert

Code: [Select]
db hosts show | grep letsencryptSSLcert

See what you have enabled and disabled.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation