Adding an SAN in Ubuntu - newbie, apologies in advance


#1

I successfully installed an SSL, but didn’t put in the www. domain as well, like a moron. Now I try running it again, and I only have the option to renew as is. How do I add the other domain? I have looked for simple directions, but the only one I found didn’t work. I used certbot-auto, not letsencrypt-auto if that makes a difference.


#2

If you are using a config file, then add to the domains line:

domains = example.com, www.example.com

otherwise pass the domains on the command-line with an extra -d option:

certbot renew certonly -n -d example.com -d www.example.com

If you let us know how you set it up initially, we can be more specific.

:smiley:


#3

I only get " bash: ./certbot: No such file or directory " certbot-auto runs but doesn’t seem to understand the rest of the commands.


#4

And as for how I set it up initially, it ran so automatically, I’m not sure I did very much at all. Not even add the right domains. :confused:


#5

try

./certbot-auto renew --dry-run -w /directory/to/webroot -d example.com -d www.example.com

If it is happy with that, you will be on the right track.

Then you can remove the --dry-run to get the certificate.

:smiley:


#6

If you provide the configuration file that’s located in /etc/letsencrypt/renewal/example.com.conf, we can probably figure out the command that matches what you previously used, plus the additional domain. :wink:


#7

Thank you so much! The renew didn’t work on the dryrun, but certonly did. I so appreciate your help!!


#8

Spoke too soon. The SLL checker says it’s a mismatch.


#9

Did you restart your webserver after updating the certificate? Or did the script do it for you?

Check the certificate in the browser and see if the www and the normal domain are both listed.

:smiley:


#10

Yes restarted. The browser says the cert is bad. The config file says :
root@example:/home/natalie# sudo vi /etc/letsencrypt/renewal/example.com.c onf

renew_before_expiry = 30 days

version = 0.8.1
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = c490df0f4d0140a77bfc828b7297746c
webroot_path = /var/www/html,
[[webroot_map]]
www.example.com = /var/www/html
example.com = /var/www/html

changed domain name to example of course.


#11

OK, so my guess is the webserver is having issues with the certificate (not loading it correctly of using a wrong location).

Was it working OK before with just the example.com? Can you be a little more specific about what the browser is saying is bad? If it was working before, then I would say the webserver is loading from the same location.

I would like to be sure that the certificate location has not changed due to you having the www.example.com before the example.com in the config file. Check to see if you now have a /etc/letsencrypt/live/www.example.com directory, you never know…

:smiley:


#12

No it hasn’t yet worked correctly. There is no directory for www.example.com.


#13

So just to be sure, you can see the certificates in /etc/letsencrypt/live/example.com/ (cert.pem, etc).

If you can, then the issue is with your webserver - which is it? Apache, nginx?

Depending on the server, either certbot can try to load them in for you, or you can manually configure it to use the certificates. For Apache:

./certbot-auto --renew --certonly --apache -w /directory/to/site -d example.com -d www.example.com

:smiley:


#14

No I don’t see anything in that directory. Yes Apache. Wasn’t happy with that last line. Unless I have the directory wrong…


#15

OK, manual config then.

Somewhere you have an ssl.conf for Apache ( /etc/httpd/conf.d/ssl.conf -or- /etc/apache2/conf.d/ssl.conf - somewhere…).

In that you need to specify the location of your certificates:

<VirtualHost *:443>
    *stuff here about ServerName, etc*
    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem
    *possibly other config stuff here*
</VirtualHost>

See if you can get the SSL config for Apache running and we can move on from there. A great tool for more configuration options for SSL is at https://mozilla.github.io/server-side-tls/ssl-config-generator/.

:smiley:


#16

Is the same file as /etc/apache2/sites-available/000-default.conf ?

If so the contents now are

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

    <Directory /var/www/html/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]


#17

That seems very simple, so sticking with that:

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

<Directory /var/www/html>
   Options Indexes FollowSymLinks
   AllowOverride All
   Require all granted
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

<VirtualHost *:443>
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

Note I changed the line at the beginning to remove the trailing / , the SERVER_NAME to SERVER_PORT and the Rewrite Rule as well to a 301. Any other config options can be added as required.

:smiley:


#18

OK I did that. How do I add the www. alternative name?


#19

Above ServerAdmin, add:

ServerName example.com
ServerAlias www.example.com

:smiley:


#20

OK, thats all done. Should that file be name example.com.conf or should it be the 000-default.conf? There’s also a default.ssl.conf file in there, and a 000-default-le-ssl.conf file in there.