Adding domain to same certificate screws up certificate on BOTH domains

Server
1

We had a working SSL connection on https://baystreetclinic.com. We’d like to use the same cert on both these domains:

https://baystreetclinic.com
https://baystreetclinic.ca

So we issued this command:

certbot certonly --cert-name baystreetclinic.com --renew-by-default -a webroot -n --expand --webroot-path=/home/bsc -d baystreetclinic.ca

Now both domains are showing an error. What did we do wrongly? The behavior we’d like is that if any of those domains are typed in the browser, we’d like the user to be taken to https://baystreetclinic.com/<request path>. Thanks.

2

It's necessary to list all the names you want the new certificate to include. You should run something like:

certbot certonly --cert-name baystreetclinic.com -a webroot -n --expand --webroot-path=/home/bsc -d baystreetclinic.ca -d www.baystreetclinic.ca -d baystreetclinic.com -d www.baystreetclinic.com

(If you also want to include the www subdomains.)

(--renew-by-default, also known by its newer name --force-renewal, isn't needed for this. It's just for renewing certificates unnecessarily. You're adding new names, which is different.)

https://baystreetclinic.com/ is using a certificate for baystreetclinic.ca right now, probably because of the certbot command you ran.

https://baystreetclinic.ca/ is using a certificate for shanx.com. I'm not sure why. It may be the default certificate if there isn't a server block with a matching server_name.

Could you paste "certbot certificates" and "nginx -T"?

2 Likes
3

Thank you. Yes, I’m sure I was running some wrong command. Could I just remove the certificates for baystreet* and then start afresh?

Anyway, the two commands you requested:

certbot certificates (and yes, shanx dot com is the default server block)

Certificate Name: baystreetclinic.com
    Domains: baystreetclinic.ca baystreetclinic.com www.baystreetclinic.ca www.baystreetclinic.com
    Expiry Date: 2018-08-11 23:16:19+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/baystreetclinic.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/baystreetclinic.com/privkey.pem

Certificate Name: baystreetclinic.ca
    Domains: baystreetclinic.ca baystreetclinic.com www.baystreetclinic.ca www.baystreetclinic.com
    Expiry Date: 2018-08-11 23:13:10+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/baystreetclinic.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/baystreetclinic.ca/privkey.pem

And…

nginx -T (just the blocks referring to these two domains?)

#------------------------------------------------------
#  BSC Bay Street Clinic 
#------------------------------------------------------
server {
    listen 107.170.3.157:80;
    server_name   .baystreetclinic.com .baystreetclinic.ca  ;
   return 301 https://baystreetclinic.com$request_uri;
}
 
   
server {
    listen 443  ssl  http2  ;   
    listen [::]:443 ssl http2 ;

    server_name   baystreetclinic.com;
    root /home/bsc;

    ssl_certificate       /etc/letsencrypt/live/baystreetclinic.com/fullchain.pem;
    ssl_certificate_key   /etc/letsencrypt/live/baystreetclinic.com/privkey.pem;

    include common.conf;
    include ssl.conf;

    error_page 404 403 500 502 503 504 /40x.htm;
    location = /40x.htm { root /home/bsc; allow all; }
}

I can the command you suggested, and now baystreetclinic.com seems to be working, but the .ca is pointing to the default server. Also the www.baystreetclinic.com still points to the default server too?

4

You could add the other hostnames in the server_name line. I think that will explain to nginx that you want it to use that port 443 server block (including the baystreetclininc.com certificate) for all of the hostnames, not just for baystreetclininc.com itself).

1 Like
5

Thank you. I just deleted all certs related to all domains, and then ran this command:

certbot certonly -a webroot --expand --webroot-path=/home/bsc -d baystreetclinic.com -d www.baystreetclinic.com -d baystreetclinic.ca -d www.baystreetclinic.ca

Now it works. Thank you so much.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.