A record works. CNAME doesn't

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:cuttinej.com

I ran this command:

It produced this output:

My web server is (include version):Apache2 (2.4.38-3+deb10u3)

The operating system my web server runs on is (include version):Raspian (Buster)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):0.31.0

I’m fairly certain this is an Apach2 configuration issue, but I’m also fairly certain that I need to be careful not to disturb the wrong config file(s). I’m more than just a little rusty, so I’m hoping someone will know what I need to adjust. Probably something simple.

When I type in the address as cuttinej.com (the A record) I get redirected to www.cuttinej.com (the CNAME record). This address shows up as untrusted in the browser. If I disable the CNAME record in my DNS (ClouDNS) then cuttinej.com goes to HTTPS as it should with no problem, so I know the certificate is working for cuttinej.com. I’d also like it to work for www.cuttinej.com. I’ve tried to take the most minimalist approach possible, so the only changes I’ve made are a couple of Allow Overrrides from None to All and whatever certbot --apache did. Any help is appreciated.

Which DNS record type you’re using doesn’t matter. Browsers don’t care. (They may even use an API that doesn’t tell them.)

At the moment, www.cuttinej.com does not have any DNS records.

http://cuttinej.com/ and https://cuttinej.com/ get a “connection refused” error. Is your web server running?

Can you show us the output of “sudo certbot certificates”?

And how is Apache configured?

Exactly what error message(s) do you get from your browser?

Your web server might be configured with HTTP redirects, or maybe your browser is automatically rewriting cuttinej.com to www.cuttinej.com, perhaps because of a redirect that used to exist. If so, you might need to type something more precise, or clear your cache, to see what’s going on. Or use a non-browser HTTP client like curl.

1 Like

This is the output from sudo certbot certificates:
Found the following certs:
Certificate Name: cuttinej.com
Domains: cuttinej.com
Expiry Date: 2020-05-08 21:11:23+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/cuttinej.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cuttinej.com/privkey.pem

The server is up and running. When I ran sudo certbot --apache, 1 of the options was to rewrite all requests from http to https. I chose that option. The CNAME record is currently disabled. (I just reenabled it on ClouDNS).

I cleared all the cache and cookies.

I have to admit, I’m more than a little confused because now cuttinej.com returns www.cuttinej.com and the response is that the site can’t be found. It was working before.

No, cuttinej.com redirects to https://cuttinej.com, which returns the default Apache landing page. If yours is behaving differently, try clearing your cache.

I still get connection refused.

On January 28, a certificate was issued that included both of the names cuttinej.com and www.cuttinej.com. Where did it go?

https://crt.sh/?q=cuttinej.com

I just did clear the cache and cookies. I tried it again and got the same result. I just typed cuttinej.com in the address bar. It returned www.cuttinej.com and says the site can’t be found. It’s not showing http or https.

I don’t know if you’re doing some testing, but it keeps giving me a connection refused error…usually means Apache isn’t running. Nmap tells me the ports are filtered (as opposed to closed) so something is going on. You’d have to check your Apache config to see if you have anything set as canonical name or any non-www to www redirects set up.

Also if you only have a single site hosted on the server, it will route to the default configuration. If you have the default configuration with the ServerName set as www.cuttinej.com without a ServerAlias to handle the cuttinej.com traffic, it would still pass the header as cuttinej.com and give you an issue if the Cert didn’t match.

CNAME does nothing but point to the IP of the hostname you point it to. It keeps the %{HTTP_HOST} header of the original domain request.

[root@Revan:~]# curl -ILv cuttinej.com
* Rebuilt URL to: cuttinej.com/
*   Trying 73.3.34.84...
* TCP_NODELAY set
* connect to 73.3.34.84 port 80 failed: Connection refused
* Failed to connect to cuttinej.com port 80: Connection refused
* Closing connection 0
curl: (7) Failed to connect to cuttinej.com port 80: Connection refused

[root@Revan:~]# curl -ILv https://cuttinej.com
* Rebuilt URL to: https://cuttinej.com/
*   Trying 73.3.34.84...
* TCP_NODELAY set
* connect to 73.3.34.84 port 443 failed: Connection refused
* Failed to connect to cuttinej.com port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to cuttinej.com port 443: Connection refused

[root@Revan:~]# nmap 73.3.34.84 -sV -v -Pn -p 80,443

Starting Nmap 7.60 ( https://nmap.org ) at 2020-02-09 20:10 CST
NSE: Loaded 42 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 20:10
Completed Parallel DNS resolution of 1 host. at 20:10, 0.00s elapsed
Initiating SYN Stealth Scan at 20:10
Scanning c-73-3-34-84.hsd1.mo.comcast.net (73.3.34.84) [2 ports]
Completed SYN Stealth Scan at 20:10, 0.23s elapsed (2 total ports)
Initiating Service scan at 20:10
NSE: Script scanning 73.3.34.84.
Initiating NSE at 20:10
Completed NSE at 20:10, 0.00s elapsed
Initiating NSE at 20:10
Completed NSE at 20:10, 0.00s elapsed
Nmap scan report for c-73-3-34-84.hsd1.mo.comcast.net (73.3.34.84)
Host is up (0.064s latency).

PORT    STATE    SERVICE VERSION
80/tcp  filtered http
443/tcp filtered https

I did do a little testing after the last response. I want to relate what happened, but it will have to wait until tomorrow. I have to be up early to go to a couple of appointments. I promise I’ll provide a more complete answer as soon as I get that all taken care of. For now, though, I have to get some sleep. Thank you (and everyone) for helping me.

Sorry it has taken so long to update this topic. Yesterday was very long and exhausting.

It’s been a very long time since I tried to setup a web server. Last time I did anything like this was around 20 years ago. A lot has changed.

After a little bit of testing with various browsers on various platforms, I’ve come to the conclusion that the problems I’m experiencing don’t have anything to do with SSL or the certificate. Rather, it’s all related to the configuration (misconfiguration) of Apache2. I initially suspected an SSL issue because certbot --apache failed a few times before finally succeeding. I never did figure out exactly why it failed or why it finally succeeded, but I’m certain now that it’s the Apache2 configuration. I think that’s also why the SSL tests aren’t able to connect with the server. I believe I’m on the right track to solving the problem. I have to do some study to get up to speed about how Apache2 works now and then I think everything will be ok. So let’s consider this one closed and thank you to everyone who tried to help me. I’m sorry I wasted your time, but it’s nice to know I found a good group of people who help each other.