And I don’t really understand why that would be?
It should not matter both domains resolve to same ip, and I did get the domain1 cert first? or does it?
Ensure that
Path: /usr/local/etc/letsencrypt/live/www.domain1.org/fullchain.pem
equals
SSLCertificateFile “/usr/local/etc/apache24/certs/1/fullchain.pem”
and also that
Path: /usr/local/etc/letsencrypt/live/www.domain2.org/fullchain.pem
equals
SSLCertificateFile “/usr/local/etc/apache24/certs/2/fullchain.pem”
Thanks for the reply,
I do manually copy the cert files.
As stated on the README on /usr/local/etc/letsencrypt/live/www.domain1.org, I do avoid the cert.pem file.
So I only copy the three other files to apache to use.
Thanks
You have not defined a ServerName nor ServerAlias for domain2.org on your VirtualHost, only for www.domain2.org. The same occurs for www.domain1.org but as it is the first VirtualHost, Apache uses it as the default for non defined domain names.
If you add a ServerAlias for non www domains in your <VirtualHost *:443> sections you should have no problem.
Note: Next time, when you paste code or conf in your message, select it and press the icon </> and this forum won't remove lines nor will try to add titles, bold, etc.
Unfortunately, this has not worked.
I keep having the exact same problem.
On the bright side, it has made me realise I have a redirection issue on domain1
As you can see, I have a ‘redirect / https:www.domain?.org’ for each domain.
Interestingly it only works for domain2. Domain1 is still displayed as a ‘naked’ domain. It does redirect to https thou…
I don’t really understand the problem, (yet…) but I have a hunch this is related to why my domains are mixed up on the cert for domain2.
Thanks for the reply
Yes, real domains would help indeed. I guess it was just a force of habit, to be a bit too paranoid…
Anyways, here the unedited vhosts.conf.
Just to streamline things if you are going to take a look, ‘domain2.org’ is caridaduniversal.eu.
You can see the issue with:
openssl s_client -connect caridaduniversal.eu:443
Mind you, I did try what you suggested about adding ServerAlias statements and with those in, renewed the certs. Same result as earlier, as stated earlier.
But since then, it has been heavily tweaked trying to pinpoint the reason of the failing 301 redirection.
Hope you can dispense the mess it is right now.
That is not correct, you can't use :443 in ServerAlias directive, you can use it in ServerName (although you don't need it) but you can't use it in ServerAlias.
So, uncomment ServerAlias and use only the domain as parameter.
ServerAlias caridaduniversal.eu
Restart Apache and try again.
Note: Remember to use -servername when using openssl s_client:
You’re right yes, it’s kinda pointless for aliases to have the port specified. Probably there because the lines were yanked from a redirection line. Changing them made no difference though.
But adding the ‘servername’ parameter sure fixes the issue, but without it’s still mixed. Which makes me realise it’s not something coming from the certificate (as my mind made it to be…), but rather it’s a live response from the server. So the problem here is the server cfg!, not the cert!. I’m sorry if that was obvious to you, but it certainly was news to me.
As I just want to understand what is going on at this point… I tried putting caridaduniversal.eu first.
And just changing the <VirtualHost *:443> block for caridaduniversal before the other one, makes the other one have a mixed response to the openssl line. Also ffox shows a ‘Insecure connection’ for the naked domain, (gnosis-sevilla.es) as it claims the cert is for caridaduniversal…
Never knew the order of the blocks would matter!.
So I need to read on this, because clearly something major is wrong in this configuration.
The servername parameter doesn't "fix" it because there is nothing to fix ;), the issue here is that the web server needs to use something called Server Name Indicator to serve the right certificate for the requested domain. A few years ago SNI didn't exist and you only could serve one certificate per IP so in your case you would need 3 different public IPs to server your 3 certs. But now, using SNI you can have multiple certificates using the same IP and that is the reason you need to specify the -servername parameter to let know the web server what domain you want to reach. That is the same that your browser (Firefox, Chrome, Opera, etc.) does.
You receive this "error" because you have not defined a ServerAlias for gnosis-sevilla.es you only have defined this ServerName: