1 Server multiple domains different ways to certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:kutyus.net, tecnicobudapest.com, trackoffers.net

I ran this command:
sudo openssl genrsa -des3 -out trackoffers.net.key 2048
sudo openssl req -new -key trackoffers.net.key -out trackoffers.net.csr

It produced this output: Key Hash: Unable to Decode. The key may be corrupt or in an incorrect format.

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Raspbian 10 Buster

My hosting provider, if applicable, is: google domains and OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

There are two question that I want to ask to you.

Easy one:
When I check in the website the “view site information” ->show certificate --Issued to: it is the same to both domains…Is it correct? It shoudn’t show one for kutyus and other one to tecnico…?

Hard one:
Those two servers whom I certified with certboot are ok, I can see the website and everything is ok but due some problems at work I tried to practice other way to adquire a certificate, as you can see trackoffers.net doesn’t function well and I am totally exausted.

I executed that commands below and I copied the csr to rapidssl then the I received an *.pem in my mail and I downloaded some other certificates but for some reason I cannot arrange anything and the certificate is still kutyus.net to this website.

I am not sure if I could explain correctly I am very frustrated and tired.

2 Likes

The behaviour is correct. The “Issued to” unfortunately lists the “Common Name”, which is deprecated according to RFC 2818 and is chosen by the Let’s Encrypt server from one of the hostnames in the subjectAltNames (I think it’s just the first one). The certificate is valid for all the hostnames in the subjectAltName, not just the one in the Common Name.

So far so good…, right?

I’m not following here. “Some other certificates”? What kind of certificates? From where?

Not understanding this either…

So your Apache isn’t configured properly. What’s the output of apachectl -S?

2 Likes

Excuse my previous poor explanation…
So I received these files (I said certificates cause I am totally lost)

trackoffers_net_53899608DigiCertCA.crt
trackoffers_net_53899608trackoffers_net.crt
trackoffers_net_53899608TrustedRoot.crt

For some reason when I try to see the web www.trackoffers.net it shows the content of www.kutyus.net so surely there is something I have misconfigured on the server.

This is the output of apachectlk -S

Summary

VirtualHost configuration:
*:443 is a NameVirtualHost
default server kutyus.net (/etc/apache2/sites-enabled/www.kutyus.net-le-ssl.conf:2)
port 443 namevhost kutyus.net (/etc/apache2/sites-enabled/www.kutyus.net-le-ssl.conf:2)
alias www.kutyus.net
port 443 namevhost tecnicobudapest.com (/etc/apache2/sites-enabled/www.tecnicobudapest.com-le-ssl.conf:2)
alias www.tecnicobudapest.com
port 443 namevhost trackoffers.net (/etc/apache2/sites-enabled/www.trackoffers.net-le-ssl.conf:2)
alias www.trackoffers.net/
*:80 is a NameVirtualHost
default server kutyus.net (/etc/apache2/sites-enabled/www.kutyus.net.conf:1)
port 80 namevhost kutyus.net (/etc/apache2/sites-enabled/www.kutyus.net.conf:1)
alias www.kutyus.net
port 80 namevhost tecnicobudapest.com (/etc/apache2/sites-enabled/www.tecnicobudapest.com.conf:1)
alias www.tecnicobudapest.com
port 80 namevhost trackoffers.net (/etc/apache2/sites-enabled/www.trackoffers.net.conf:1)
alias www.trackoffers.net
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

I copied the *pem and the *.crt files to /etc/ssl/certs/ and I configured the virtualhost of www.trackoffers.net in this way:

Summary
    ServerAdmin carlos.informat@gmail.com
    ServerName trackoffers.net
    ServerAlias www.trackoffers.net/
    DocumentRoot /var/www/html/www.trackoffers.net/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

     SSLEngine on
     SSLCertificateFile /etc/ssl/certs/trackoffers_net_53899608trackoffers_net.crt
     SSLCertificateKeyFile /etc/ssl/certs/trackoffers.net.key
     SSLCertificateChainFile /etc/ssl/certs/trackoffers_net_53899608TrustedRoot.crt
1 Like

First off, let me say:
Welcome to the Let’s Encrypt Community :slightly_smiling_face:

After doing some poking at your sites, I’ve found that:

You might want to consider using this single command instead of the two you used:
openssl req -new -newkey rsa:4096 -nodes -keyout trackoffers.net.key -out trackoffers.net.csr

Your current command uses -des3 to generate the private key, which will end up encrypting the private key. In order to install that key with your certificate for use later, you’ll just need to decrypt it anyhow. Hence the -nodes in the command I gave you.

This could be because the key was encrypted with DES3 and no (or the wrong) password is being supplied when generating the certificate signing request.

2 Likes

Hi Griffin,

Thank you very much your welcome :grinning:

This could not have started worse :crazy_face: I didn’t realized that the whole domains didn’t function well, although I tried to arrange adding:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
Options -Indexes

Into the whole Virtualhosts and I created an .htaccess with it too in “var/www/html” still doesn’t function…The most strange is the last I am going bananas with it.

Anyway I think it is not the main problem altough I will try to find a solution for it.

About the new command, I think you hit the nail on the head although next few days I will not have time to re-issue the certificate.

I am very eagerly about the new command I really want to try it I will tell you the results on Thursday.

Than you so much to everyone.

2 Likes

Keep in mind that the right side of RewriteCond is a regular expression. Therefore, “www.” means “www” followed by any non-line-break character. On the other hand, “www\.” means “www” followed by a period.

I personally use the following .htaccess for several sites to redirect to the bare (non-www) domain with https:

Options -Indexes

RewriteEngine on

RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [QSA,R=301,L]

RewriteCond %{HTTPS} off [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]

You could use something similar like this:

Options -Indexes

RewriteEngine on

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]

RewriteCond %{HTTPS} off [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]

This ensures that you won’t end up with multiple redirects to get to “https://www”. :wink:

2 Likes

:thinking: I had change the config at www.mydomains.net&com.conf and I created the .htaccess with the content tht you taught me

But nothing has change :roll_eyes:

In any case this problem with the redirection between kutyus and trackoffer will influence a future checkings of the manual certification of trackoffers?

Thanks a lot

1 Like

You would want to use the second one I mentioned, my friend. The first one will redirect www to non-www, which you don’t want. Keep in mind that if you can modify your configuration files directly, you do NOT want to use .htaccess files instead.

1 Like

It looks like there’s an old (and incorrect) dns-01 challenge entry:
trackoffers.net. 59 IN TXT "3r1jtvy0gpqkyqttjwkt87vst80lrw45"

That should probably have been one of these:

  • _acme-challenge.trackoffers.net. 59 IN TXT “3r1jtvy0gpqkyqttjwkt87vst80lrw45”
  • _acme-challenge.www.trackoffers.net. 59 IN TXT “3r1jtvy0gpqkyqttjwkt87vst80lrw45”
1 Like

It appears that www.kutyus.net, www.trackoffers.net, and www.tecnicobudapest.com all have the same IP address in their DNS A records (89.135.72.30). Are you sure that www.trackoffers.net is actually configured with a server_name and listening on port 443? It looks like www.trackoffers.net is “missing” and so www.kutyus.net is being served instead.

2 Likes

Thank you very much…Finally I can see trackoffers web site.

Still remain the problem with www and so on, but at least kutyus isn’t appearing everywhere.

You where certainly right after so many trieds I forgot to delete the ssl.conf at /etc/apache2/sites-enabled/
I deleted, then modified and copied the default-ssl.conf changing the name to www.trackoffers-ssl.conf and reload apache. Ooooh yeah

Yes you are right, all of them are part of my testing raspberry server. I bought those domains with google domains, then I with the option “Synthetic records” I created like a (ddns noip) so I setup a script like this:

nano ~/dns_update_script.sh
    wget https://username:password@domains.google.com/nic/update?hostname=yourdomain.com -qO dns_update_results.txt

There’s a full explanation about it on http://www.farrellf.com/projects/software/2016-05-03_Setting_Up_a_Raspberry_Pi_Web_Server/

About the TXT record…I should do it in this way in order to Prove Control Over Domains. I am not sure if I need to keep this record forever or just until they accept that I have control over them.

By the way the dinamic DNS as I explained before has this config:
www A 1m 89.135.72.30

1 Like