2 websites only 1 certificate recognized


#1

Hello. I’m relatively new to Linux after 20 years developing for the Windows environment. We lease an EC2 server from Amazon AWS. We have 2 different websites on the server which runs Ubuntu 16.04 and Nginx 1.10.3. I placed the first website (email.causeaction.com and mail.causeaction.com) in the path /var/www/html because at the time I thought that it would be the only PHP web application we would host there. I placed the 2nd website (causeaction.com and www.causeaction.com) in the path /var/www/causeaction.com/html.

I had created the certificate for email.causeaction.com a while ago and it works fine. I do NOT remember the syntax I used to create it. I was wondering if there is a Certbot command to “reconstruct” the command syntax I used to create that certificate? But that is a separate question.

Here is the syntax I used to create the latest certficiate, which is NOT being recognized by web browsers.
certbot certonly --webroot -w /var/www/causeaction.com/html -d www.causeaction.com -d causeaction.com

Here is the output from the “certbot certificates” command.

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: email.causeaction.com
Domains: email.causeaction.com mailer.causeaction.com
Expiry Date: 2018-06-16 23:33:13+00:00 (VALID: 64 days)
Certificate Path: /etc/letsencrypt/live/email.causeaction.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/email.causeaction.com/privkey.pem
Certificate Name: www.causeaction.com
Domains: www.causeaction.com causeaction.com
Expiry Date: 2018-07-11 14:30:55+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.causeaction.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.causeaction.com/privkey.pem

When I go to https://causeaction.com I get the Warning from Firefox that there is no valid certificate.
I click on Advanced and see this message.

www.causeaction.com uses an invalid security certificate. The certificate is only valid for the following names: email.causeaction.com, mailer.causeaction.com Error code: SSL_ERROR_BAD_CERT_DOMAIN

So it is looking at the FIRST certificate and ignoring the 2nd.

Does anyone have a suggestion on how to remedy this?

I don’t want to make a mistake and ruin the current GOOD certificate for “email.causeaction.com” because that is a very busy website.

So if I could re-create the Certbot Syntxx used to generate the first Certificate that is being recognized by the Browser, then I will just add the other domain names to a single certificate. But if I could keep them separate, because they are indeed very different websites, that might be a better solution.

Thanks for any help.


#2

The certbot certonly command you used only obtains a certificate, it doesn’t install it into your webserver for you.

If you want it to try to install the certificate automatically, you can try:

certbot -a webroot -i nginx -w /var/www/causeaction.com/html -d www.causeaction.com -d causeaction.com

or if you have the latest version of certbot, this simpler version should also work:

certbot --nginx -d www.causeaction.com -d causeaction.com

Alternatively you can modify the nginx config files yourself if you know how to; this may help.

Not as such, but you can find all the relevant information (albeit in a different format) in the files under /etc/letsencrypt/renewal/.


#3

@jmorahan

Thank you so much for the help and clarification! I am using an older version of Certbot and ran the command to install the certificate.

certbot -a webroot -i nginx -w /var/www/causeaction.com/html -d www.causeaction.com -d causeaction.com

It worked like a charm. But I had to be logged in as “root” to get it to complete properly. Otherwise I got Access violation messages. This time I recorded the commands I used for future reference.

Have a great day…you sure made mine better.


#4

oops. Maybe I spoke too soon. Rather than the Green Lock images for HTTPS in Chrome and Firefox I’m seeing an ‘Info’ image which then states.

“Connection is Not secure. Parts of this page are not secure.”

Does that just mean that images are coming from HTTP?


#5

Yeah. See https://www.whynopadlock.com/results/33af0e33-e784-4564-b2b6-192fe90ba690


#6

Thanks man. What a great resource. I learn something new every day.
Now if I didn’t need to learn it so fast…it would be fun.
Haha


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.