I have a domain datawebpro.xyz with a wordpress (WP) installation working and public with Nginx web server. Now I was trying to set up a testing environment by using a subdomain t1.datawebpro.xyz.
I have added a CNAME entry in Cloudflare. I attach a screenshot of it. The IPs seen are from my raspberrypi4 (RP4) at home.
Then in the RP4 I have one Wordpress installation for the domain and the subdomain. In the domain I have the let’s encrypt certificate working, then when I want to configure the certificate for the subdomain the certbot complains saying I already have a certificate for the main domain.
The root domain WP installation works well but when I try to access the subdomain WP installation I get the error: “This site can’t be reached” “ERR_NAME_NOT_RESOLVED”
My questions are how do I have to configure the Cloudflare and then how do I have to configure the Nginx for supporting the certificates? do I need one for each subdomain and for root domain? or I can use the root domain one for all subdomains?
May I ask if you’re having the same content on t1 and naked non-www/www domain or different one?
I’d rather use A type for t1 sub-domain and point it to the IP address.
Therefore, having separate .vhost files in Nginx for multiple different domains/sub-domains should work.
Due to the error you got in your Web browser, maybe the DNS didn’t propagate so fast at first time.
May I ask have you tried using a different Web browser, or tried clearing your Web browser cache?
How about using a Private window (Incognito mode) or a VPN connection if possible?
Is it the same behaviour on your mobile phone (4G LTE, mobile data, cellular)?
I guess it’s because you’re using a CNAME which points to your naked-domain, and the request in the background results in some, I guess, redirection to the domain which as you state, certbot says alrady is having a valid SSL certificate since you’ve used a command before to issue it for naked and www domain.
In your conf file you’re pointing to the SSL certificate of naked-domain and www, which doesn’t cover your t1 sub-domain in the “alternative names” of it.
I remember I was using multiple domains, naked and other sub-domains on the same SSL certificate (SNI) where there was one common and other alternative names visible and a valid for all fo them. You can keep it like that, if it’s easier for you to manage.
For a hostname www.t1.datawebpro.xyz → Cloudflare proxy mode won’t work.
The issue you would experience is described at the article from below, therefore if you’d like to use a “deep-level” sub-domain you can do it with Advanced Certificate Manager because Cloudflare’s Universal SSL covers only 1st level of a sub-domain like t1.datawebpro.xyz and proxy mode will work for it (just not for www.t1):
I’ve tried to access to the t1.datawebpro.xyz with a private window and with the mobile phone 5G connection and it works. However, there are two problems:
the connection can be established with t1.datawebpro.xyz but not with www.t1.datawebpro.xyz. I suppose it’s because the CNAME is not including this later case. But I don’t know what’s my CNAME doing and why it is working. From what I know a CNAME for example of: CNAME | food.web-server | eat.web-server, hungry.web-server would resolve these two names into the food.web-server. But I don’t get what’s the point of resolving datawebpro.xyz to t1 …
I guess it’s not usual to use a www.t1.something.xyz but instead one just uses www.something.xyz, t1.something.com, t2.something.com, etc.
being said this, I say I’d have to substitute the CNAME that I have for an A register with:
A | www | 207.188.x.y
the certificate is invalid because the subdomain was not included at the moment of creating the certificate but what I want is to have another certificate for the subdomain. The certbot command complains. Can this be solved by just correcting the DNS entries and using the A register instead of the CNAME that I have?
In he RP4 there are a couple more of websites with their own domain and their own certificates so I guess the SNI is working correctly.
substitute the CNAME register by an A register with the IP of the RP4
run the certbot command but specifying only the subdomain:
sudo certbot certonly -a webroot --webroot-path=/var/www/t1.datawebpro.xyz -d t1.datawebpro.xyz
sudo openssl dhparam -out /etc/ssl/certs/dhparam-t1.datawebpro.pem 2048