Let's Encrypt Certificate renewed, does not work for gigapages.net subdomain

belltown

New member
My site was issued a new certificate from Let's Encrypt yesterday. However, it no longer works for https://belltown.gigapages.net/. The certificate served up is for the belltown.tk domain; however, there is no Certificate Subject Alt Name extension entry for belltown.gigapages.net.
 

belltown

New member
Code:
$ openssl x509 -in belltown.gigapages.net.crt -text
Certificate:
??? Data:
??????? Version: 3 (0x2)
??????? Serial Number:
??????????? 04:2d:cc:96:26:99:e5:87:84:6d:a7:80:d5:48:bb:99:13:13
??? Signature Algorithm: sha256WithRSAEncryption
??????? Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
??????? Validity
??????????? Not Before: Nov 19 17:50:46 2017 GMT
??????????? Not After : Feb 17 17:50:46 2018 GMT
??????? Subject: CN=belltown.gigapages.net
??????? Subject Public Key Info:
??????????? Public Key Algorithm: rsaEncryption
??????????????? Public-Key: (2048 bit)
??????????????? Modulus:
??????????????????? 00:cc:5b:47:f5:3a:21:c5:63:9b:f8:f9:4e:c3:40:
??????????????????? 6d:ac:b7:6f:f9:c5:5e:2b:5d:c5:04:ff:a5:89:f8:
??????????????????? 0e:5e:52:44:6d:cd:72:21:9a:ff:5a:2b:06:26:27:
??????????????????? 95:b6:66:7e:45:45:76:a9:13:48:d3:74:0b:a6:01:
??????????????????? 44:24:85:2e:07:ed:96:3a:cb:38:52:ae:b9:43:50:
??????????????????? 25:a4:e8:e9:ff:d7:67:fa:b1:31:29:ad:44:b8:e2:
??????????????????? 4d:27:3f:1b:a9:c9:fe:fb:2b:07:20:f3:9c:76:b1:
??????????????????? 20:75:ab:99:dd:73:e3:bb:79:39:5f:0a:70:1f:29:
??????????????????? 95:8d:c2:99:6f:d2:8a:80:3f:96:27:a6:7f:fe:40:
??????????????????? d4:6f:40:ce:6e:70:f1:67:e4:92:d0:65:f5:bc:3d:
??????????????????? f1:51:6b:5a:56:7d:05:41:a5:0c:18:d3:f9:eb:e3:
??????????????????? 89:a5:84:c1:92:65:b6:13:6b:1b:46:3e:35:e5:e7:
??????????????????? ad:17:3f:47:0e:47:bf:4b:8d:8a:84:f6:50:bc:2f:
??????????????????? 34:e4:28:2a:a3:0c:e8:97:a3:35:b4:85:23:f8:b5:
??????????????????? 2f:cc:de:44:f4:3b:d7:e3:36:e3:00:b1:ea:66:7a:
??????????????????? 8c:ff:45:6d:8d:f3:89:1c:2e:6d:89:0f:a7:19:24:
??????????????????? 58:65:c7:9d:48:1f:a3:47:0d:6e:82:59:84:cb:1e:
??????????????????? 61:d1
??????????????? Exponent: 65537 (0x10001)
??????? X509v3 extensions:
??????????? X509v3 Key Usage: critical
??????????????? Digital Signature, Key Encipherment
??????????? X509v3 Extended Key Usage:
??????????????? TLS Web Server Authentication, TLS Web Client Authentication
??????????? X509v3 Basic Constraints: critical
??????????????? CA:FALSE
??????????? X509v3 Subject Key Identifier:
??????????????? A1:56:6D:6A:C4:5D:B3:A8:51:76:AC:1C:FD:B5:5D:F1:DA:00:14:78
??????????? X509v3 Authority Key Identifier:
??????????????? keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

??????????? Authority Information Access:
??????????????? OCSP - URI:http://ocsp.int-x3.letsencrypt.org
??????????????? CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

??????????? X509v3 Subject Alternative Name:
??????????????? DNS:belltown.gigapages.net, DNS:belltown.tk, DNS:mail.belltown.gigapages.net, DNS:mail.belltown.tk, DNS:www.belltown.gigapages.net, DNS:www.belltown.tk
??????????? X509v3 Certificate Policies:
??????????????? Policy: 2.23.140.1.2.1
??????????????? Policy: 1.3.6.1.4.1.44947.1.1.1
????????????????? CPS: http://cps.letsencrypt.org
????????????????? User Notice:
??????????????????? Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

??? Signature Algorithm: sha256WithRSAEncryption
???????? 20:43:48:8f:1e:bf:19:f7:d0:04:c6:d1:ff:6b:69:77:f2:1a:
???????? d1:16:f2:04:b3:14:05:7c:06:fe:36:f9:2a:64:db:d6:9b:08:
???????? 1d:6d:c1:d8:8f:75:c6:f1:04:c2:80:c9:a6:ac:85:c8:4e:5e:
???????? 03:80:57:a0:68:0e:07:2a:de:13:a2:1f:12:26:26:0b:64:0f:
???????? f5:cb:c1:ce:ee:3e:6e:95:d5:58:21:59:40:40:01:24:df:89:
???????? cd:44:b4:4a:0c:9d:18:ca:a4:7b:67:b1:fe:74:c3:38:b4:69:
???????? 9a:7d:be:c1:48:d4:92:0c:1d:d3:74:7a:d5:f6:62:91:5e:17:
???????? 13:2f:40:9f:6d:3f:e0:f5:05:7f:19:a0:a0:97:66:30:07:19:
???????? 83:e7:ef:5e:7d:3c:73:8f:6f:5c:d3:5f:df:be:c3:50:68:79:
???????? e5:8f:99:6b:ad:bb:70:c4:8e:43:f1:02:a4:59:1d:8b:ea:0a:
???????? 14:83:f0:75:01:aa:9f:10:ca:39:3f:61:78:a0:ee:70:47:0c:
???????? 29:5d:d1:7d:94:0a:b9:b9:00:42:95:43:e7:ac:66:70:39:32:
???????? 17:a0:f1:2a:b0:92:8c:be:f4:07:ea:92:a9:c6:f0:d8:32:45:
???????? 9b:d2:1c:29:4a:e9:31:f7:9f:ee:77:69:a1:63:a1:b4:71:f7:
???????? 00:0d:06:e5
-----BEGIN CERTIFICATE-----
MIIFezCCBGOgAwIBAgISBC3MliaZ5YeEbaeA1Ui7mRMTMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzExMTkxNzUwNDZaFw0x
ODAyMTcxNzUwNDZaMCExHzAdBgNVBAMTFmJlbGx0b3duLmdpZ2FwYWdlcy5uZXQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMW0f1OiHFY5v4+U7DQG2s
t2/5xV4rXcUE/6WJ+A5eUkRtzXIhmv9aKwYmJ5W2Zn5FRXapE0jTdAumAUQkhS4H
7ZY6yzhSrrlDUCWk6On/12f6sTEprUS44k0nPxupyf77Kwcg85x2sSB1q5ndc+O7
eTlfCnAfKZWNwplv0oqAP5Ynpn/+QNRvQM5ucPFn5JLQZfW8PfFRa1pWfQVBpQwY
0/nr44mlhMGSZbYTaxtGPjXl560XP0cOR79LjYqE9lC8LzTkKCqjDOiXozW0hSP4
tS/M3kT0O9fjNuMAsepmeoz/RW2N84kcLm2JD6cZJFhlx51IH6NHDW6CWYTLHmHR
AgMBAAGjggKCMIICfjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKFWbWrEXbOoUXas
HP21XfHaABR4MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsG
AQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZy8wgYwGA1UdEQSBhDCBgYIWYmVsbHRvd24uZ2lnYXBhZ2VzLm5l
dIILYmVsbHRvd24udGuCG21haWwuYmVsbHRvd24uZ2lnYXBhZ2VzLm5ldIIQbWFp
bC5iZWxsdG93bi50a4Iad3d3LmJlbGx0b3duLmdpZ2FwYWdlcy5uZXSCD3d3dy5i
ZWxsdG93bi50azCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMB
AQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGr
BggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVs
aWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFu
Y2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8v
bGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAg
Q0iPHr8Z99AExtH/a2l38hrRFvIEsxQFfAb+NvkqZNvWmwgdbcHYj3XG8QTCgMmm
rIXITl4DgFegaA4HKt4Toh8SJiYLZA/1y8HO7j5uldVYIVlAQAEk34nNRLRKDJ0Y
yqR7Z7H+dMM4tGmafb7BSNSSDB3TdHrV9mKRXhcTL0CfbT/g9QV/GaCgl2YwBxmD
5+9efTxzj29c01/fvsNQaHnlj5lrrbtwxI5D8QKkWR2L6goUg/B1AaqfEMo5P2F4
oO5wRwwpXdF9lAq5uQBClUPnrGZwOTIXoPEqsJKMvvQH6pKpxvDYMkWb0hwpSukx
95/ud2mhY6G0cfcADQbl
-----END CERTIFICATE-----

The certificate currently being served for belltown.gigapages.net is one that was issued for belltown.tk, with no Subject Alternative Names specified.

Also, if you look at my site's SSL database file: /ssl/ssl.db, you will see the last two certificates issued. The previous certificate (first entry in the DB) was issued for 6 subdomains. The last certificate issued was only issued for belltown.tk:
Code:
---
files:
? certificate:
??? belltown_gigapages_net_cc5b4_e61d1_1518889846_116e6a9fc26d68629f19d3a04bf8422a:
????? created: '1511117104'
????? domains:
??????? - belltown.gigapages.net
??????? - belltown.tk
??????? - mail.belltown.gigapages.net
??????? - mail.belltown.tk
??????? - www.belltown.gigapages.net
??????? - www.belltown.tk
????? friendly_name: belltown.gigapages.net, belltown.tk, mail.belltown.gigapages.net, mail.belltown.tk, www.belltown.gigapages.net, and www.belltown.tk
????? id: belltown_gigapages_net_cc5b4_e61d1_1518889846_116e6a9fc26d68629f19d3a04bf8422a
????? is_self_signed: 0
????? issuer.commonName: Let's Encrypt Authority X3
????? issuer.organizationName: Let's Encrypt
????? modulus: cc5b47f53a21c5639bf8f94ec3406dacb76ff9c55e2b5dc504ffa589f80e5e52446dcd72219aff5a2b06262795b6667e454576a91348d3740ba6014424852e07ed963acb3852aeb9435025a4e8e9ffd767fab13129ad44b8e24d273f1ba9c9fefb2b0720f39c76b12075ab99dd73e3bb79395f0a701f29958dc2996fd28a803f9627a67ffe40d46f40ce6e70f167e492d065f5bc3df1516b5a567d0541a50c18d3f9ebe389a584c19265b6136b1b463e35e5e7ad173f470e47bf4b8d8a84f650bc2f34e4282aa30ce897a335b48523f8b52fccde44f43bd7e336e300b1ea667a8cff456d8df3891c2e6d890fa719245865c79d481fa3470d6e825984cb1e61d1
????? modulus_length: 2048
????? not_after: '1518889846'
????? not_before: '1511113846'
????? signature_algorithm: sha256WithRSAEncryption
????? subject.commonName: belltown.gigapages.net
????? validation_type: dv
??? belltown_tk_a9bd0_1dcc9_1524186385_80416741acc179dd6cb5a94e068ec95c:
????? created: '1516413985'
????? domains:
??????? - belltown.tk
????? friendly_name: Cert for ?belltown.gigapages.net?
????? id: belltown_tk_a9bd0_1dcc9_1524186385_80416741acc179dd6cb5a94e068ec95c
????? is_self_signed: 0
????? issuer.commonName: Let's Encrypt Authority X3
????? issuer.organizationName: Let's Encrypt
????? modulus: a9bd032a2c80ee559ff576f0d12e547b728a54b16b6a7430b070a342e2424d98049d68b06b732505b8b979e4c1835b4ec94f4e10c1aeff762543bb1383d961c053879fc6193587b64d267d8132ea76378abfdd8d930e992ee3757d83694059431f52cbe28aad19506f2f772c849971fcb8a03f5dd369ed23c0d7a84559dc4894147a980789a184167c038a1da79d2ae7d5d9a602d480c510404f579b63a8138d06880d07184aad1cfe2b68fbdb32e89eb025577994ba68248b47624099e2b028b5166a526c5fa9313c53ce8f6640e1394734c871b4246e2859087a31a5db24c09b2653514580e4160b4c85794710e6ee9baa7f7e2cf78ec05f01b2ca25f1dcc9
????? modulus_length: 2048
????? not_after: '1524186385'
????? not_before: '1516410385'
????? signature_algorithm: sha256WithRSAEncryption
????? subject.commonName: belltown.tk
????? validation_type: dv
? key:
??? a9bd0_1dcc9_ae126e99cfb5e0fa6c65668c5a03fca0:
????? created: '1516413985'
????? friendly_name: Key for ?belltown.gigapages.net?
????? id: a9bd0_1dcc9_ae126e99cfb5e0fa6c65668c5a03fca0
????? modulus: a9bd032a2c80ee559ff576f0d12e547b728a54b16b6a7430b070a342e2424d98049d68b06b732505b8b979e4c1835b4ec94f4e10c1aeff762543bb1383d961c053879fc6193587b64d267d8132ea76378abfdd8d930e992ee3757d83694059431f52cbe28aad19506f2f772c849971fcb8a03f5dd369ed23c0d7a84559dc4894147a980789a184167c038a1da79d2ae7d5d9a602d480c510404f579b63a8138d06880d07184aad1cfe2b68fbdb32e89eb025577994ba68248b47624099e2b028b5166a526c5fa9313c53ce8f6640e1394734c871b4246e2859087a31a5db24c09b2653514580e4160b4c85794710e6ee9baa7f7e2cf78ec05f01b2ca25f1dcc9
????? modulus_length: 2048
??? cc5b4_e61d1_ddd9df2434babd5786ac663e531a2804:
????? created: '1511117104'
????? friendly_name: belltown.gigapages.net, belltown.tk, mail.belltown.gigapages.net, mail.belltown.tk, www.belltown.gigapages.net, and www.belltown.tk
????? id: cc5b4_e61d1_ddd9df2434babd5786ac663e531a2804
????? modulus: cc5b47f53a21c5639bf8f94ec3406dacb76ff9c55e2b5dc504ffa589f80e5e52446dcd72219aff5a2b06262795b6667e454576a91348d3740ba6014424852e07ed963acb3852aeb9435025a4e8e9ffd767fab13129ad44b8e24d273f1ba9c9fefb2b0720f39c76b12075ab99dd73e3bb79395f0a701f29958dc2996fd28a803f9627a67ffe40d46f40ce6e70f167e492d065f5bc3df1516b5a567d0541a50c18d3f9ebe389a584c19265b6136b1b463e35e5e7ad173f470e47bf4b8d8a84f650bc2f34e4282aa30ce897a335b48523f8b52fccde44f43bd7e336e300b1ea667a8cff456d8df3891c2e6d890fa719245865c79d481fa3470d6e825984cb1e61d1
????? modulus_length: 2048
indexes:
? certificate:
??? modulus:
????? a9bd032a2c80ee559ff576f0d12e547b728a54b16b6a7430b070a342e2424d98049d68b06b732505b8b979e4c1835b4ec94f4e10c1aeff762543bb1383d961c053879fc6193587b64d267d8132ea76378abfdd8d930e992ee3757d83694059431f52cbe28aad19506f2f772c849971fcb8a03f5dd369ed23c0d7a84559dc4894147a980789a184167c038a1da79d2ae7d5d9a602d480c510404f579b63a8138d06880d07184aad1cfe2b68fbdb32e89eb025577994ba68248b47624099e2b028b5166a526c5fa9313c53ce8f6640e1394734c871b4246e2859087a31a5db24c09b2653514580e4160b4c85794710e6ee9baa7f7e2cf78ec05f01b2ca25f1dcc9:
??????? belltown_tk_a9bd0_1dcc9_1524186385_80416741acc179dd6cb5a94e068ec95c: ~
????? cc5b47f53a21c5639bf8f94ec3406dacb76ff9c55e2b5dc504ffa589f80e5e52446dcd72219aff5a2b06262795b6667e454576a91348d3740ba6014424852e07ed963acb3852aeb9435025a4e8e9ffd767fab13129ad44b8e24d273f1ba9c9fefb2b0720f39c76b12075ab99dd73e3bb79395f0a701f29958dc2996fd28a803f9627a67ffe40d46f40ce6e70f167e492d065f5bc3df1516b5a567d0541a50c18d3f9ebe389a584c19265b6136b1b463e35e5e7ad173f470e47bf4b8d8a84f650bc2f34e4282aa30ce897a335b48523f8b52fccde44f43bd7e336e300b1ea667a8cff456d8df3891c2e6d890fa719245865c79d481fa3470d6e825984cb1e61d1:
??????? belltown_gigapages_net_cc5b4_e61d1_1518889846_116e6a9fc26d68629f19d3a04bf8422a: ~
??? subject.commonName:
????? belltown.gigapages.net:
??????? belltown_gigapages_net_cc5b4_e61d1_1518889846_116e6a9fc26d68629f19d3a04bf8422a: ~
????? belltown.tk:
??????? belltown_tk_a9bd0_1dcc9_1524186385_80416741acc179dd6cb5a94e068ec95c: ~
uniques:
? certificate:
??? friendly_name:
????? Cert for ?belltown.gigapages.net?: belltown_tk_a9bd0_1dcc9_1524186385_80416741acc179dd6cb5a94e068ec95c
????? belltown.gigapages.net, belltown.tk, mail.belltown.gigapages.net, mail.belltown.tk, www.belltown.gigapages.net, and www.belltown.tk: belltown_gigapages_net_cc5b4_e61d1_1518889846_116e6a9fc26d68629f19d3a04bf8422a
? key:
??? friendly_name:
????? Key for ?belltown.gigapages.net?: a9bd0_1dcc9_ae126e99cfb5e0fa6c65668c5a03fca0
????? belltown.gigapages.net, belltown.tk, mail.belltown.gigapages.net, mail.belltown.tk, www.belltown.gigapages.net, and www.belltown.tk: cc5b4_e61d1_ddd9df2434babd5786ac663e531a2804
??? modulus:
????? a9bd032a2c80ee559ff576f0d12e547b728a54b16b6a7430b070a342e2424d98049d68b06b732505b8b979e4c1835b4ec94f4e10c1aeff762543bb1383d961c053879fc6193587b64d267d8132ea76378abfdd8d930e992ee3757d83694059431f52cbe28aad19506f2f772c849971fcb8a03f5dd369ed23c0d7a84559dc4894147a980789a184167c038a1da79d2ae7d5d9a602d480c510404f579b63a8138d06880d07184aad1cfe2b68fbdb32e89eb025577994ba68248b47624099e2b028b5166a526c5fa9313c53ce8f6640e1394734c871b4246e2859087a31a5db24c09b2653514580e4160b4c85794710e6ee9baa7f7e2cf78ec05f01b2ca25f1dcc9: a9bd0_1dcc9_ae126e99cfb5e0fa6c65668c5a03fca0
????? cc5b47f53a21c5639bf8f94ec3406dacb76ff9c55e2b5dc504ffa589f80e5e52446dcd72219aff5a2b06262795b6667e454576a91348d3740ba6014424852e07ed963acb3852aeb9435025a4e8e9ffd767fab13129ad44b8e24d273f1ba9c9fefb2b0720f39c76b12075ab99dd73e3bb79395f0a701f29958dc2996fd28a803f9627a67ffe40d46f40ce6e70f167e492d065f5bc3df1516b5a567d0541a50c18d3f9ebe389a584c19265b6136b1b463e35e5e7ad173f470e47bf4b8d8a84f650bc2f34e4282aa30ce897a335b48523f8b52fccde44f43bd7e336e300b1ea667a8cff456d8df3891c2e6d890fa719245865c79d481fa3470d6e825984cb1e61d1: cc5b4_e61d1_ddd9df2434babd5786ac663e531a2804

So it would appear that something has changed recently with the way you are issuing Let's Encrypt certificates.

If, for whatever reason, your cPanel/Let's Encrypt setup is unable or unwilling to handle alternate names, then can you at least restore the cPanel SSL/TLS certificate management functionality, so I can at least create and upload my own Let's Encrypt certificates for my site?
Thanks.
 

un4saken

Administrator
I mean you can't use your current certificate for your subdomains because it was issued only to your .tk domain. Fixed it by manually generating for your subdomain too.
 

belltown

New member
The subdomain certificate is now working. I appreciate you setting that up.

It looks like you installed the old certificate, which had the subdomains as alternate names. That's fine for now, but in 3 weeks when the certificate expires, will that require another "manual" generation, or will it auto-renew?