Adding domains to and deleting domains from existing certificate

Help
82

So, I need to create an http host next. How does it differ from a https vhost? Is it just an http version of the last line (RewriteRule) in the vhost.conf stanza? For convenience, here it is again for one of my domains.

<VirtualHost *:80>
    ServerAdmin fake@me.com
    ServerName enfeedia.com
    ServerAlias www.enfeedia.com
    DocumentRoot /srv/www/enfeedia.com/public_html/
    ErrorLog /srv/www/enfeedia.com/logs/error.log
    CustomLog /srv/www/enfeedia.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.enfeedia.com [OR]
RewriteCond %{SERVER_NAME} =enfeedia.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
83

Well, the HTTP vhost listens on port 80 and the HTTPS vhost listens on port 443.
The HTTPS vhost uses a certificate while the HTTP vhost does not.

3 Likes
84

I understand that, but my question is, How does the block differ between the two. Notice all my domains, all having certificates (I'm planning on adding womenofaction.club to the cert) specify port 80, not port 443. Something tells me that port 443 is for TLS certs. I'm satisfied with SSL. If that's a serious mistake, please tell me. I read/hear TLS and SSL are the same except that's not exactly true, and that if I have SSL, it's OK to stay the course. I think that's all I need to now about TLS vs SSL.

Also notice the RewriteRule entry on the VirtualHost block: It specifies https. Cool. So, my question is:

Do I create an http (notice, not https) block by just writing the RewriteRule to use http (and of course using the new domain name)? Or, Do I really need that RewriteRule?

I learned here that I need the http vhost block before I run the "certbot -- expand" command. I'm concluding I create that for womenofaction.club by doing just this:

  • using that domain wherever the domain is specified in the vhost block (just about all the lines), and

  • changing the RewriteRule line to specify http (or don't even have a RewriteRule? Or do I even need any of the Rewrite lines?).

Once I'm clear on that, I will proceed with creating an http block for womenofaction, then add it to the existing certificate using the "cerbot --expand" command.

I DEEPLY APPRECIATE all the help being provided to me here. Without this conversation, I'd really really be stuck. Having volunteers to help the likes of me is AMAZING.

1 Like
85

Yes, that is a serious misunderstanding. There is considerably more to this but I hope this helps:

Your VirtualHosts which use port 80 process http:// requests to your domains. So, when we say your HTTP VHost this is the one we mean.

Your VirtualHosts which use port 443 process https:// requests to your domains. So, an HTTPS VHost is this one.

HTTP VHosts (so, port 80) do not have certificates defined.

HTTPS VHosts (port 443) require certificates. There is no SSL Certificate or TLS Certificate. There is just a SSL/TLS Certificate (LE calls it that). SSL and TLS do not describe the cert they describe a protocol. TLS is newer and replaced SSL. But, often people just say SSL or TLS interchangeably to mean a connection secured by a cert. And, server config settings often say SSL because that's where it all started.

Example: Apache has a SSLProtocol config setting. Yet, it is often set to disable SSL protocol versions and use only TLS versions (1.2 and 1.3 more current). Regardless of the protocol versions selected the cert is the same. You can play around with Mozilla SSL Configurator to see these options

3 Likes
86

Thank you for that. I'm really struggling, as you can tell.

My current status is I have 14 domains (counting both www and non-www versions) and all are working well. By that I mean, people successfully access the websites with browsers without security complaint. I don't even know if I have port 443 VirtualHost blocks for them. Where do I look?

I just want to add two more (www and non-www versions of the same domain).

I think I'm told in this thread that I can run the certbot --expand command to do that, providing I already the a VirtualHost block for it. Port 80 or port 443 or both?

But I don't have a a VirtualHost block for the new domain. Can someone give me a template for it such that I just edit in the domain name, and tell me where they should be stored?

Regarding the port number, tell me whatever it has to be. If it is to be 443, will my current domains continue to be covered by the certificate if the VirtualHost file uses port 80? Do I need two VirtualHost files, one with port 80 and one with port 443, for the new addition?

Do I have to even create a VirtualHost file when running the certbot --expand command, i.e., does that process create VirtualHost blocks for me?

I'm guessing what to do because, well, I'm terribly confused. Just when I think I have a understand of the exact steps I need to do, I get a wrench in the works. I hope you or someone can provide very clear step by step instructions. What do I need to create, where is it stored, etc, before I do the certbot -- expand command. Or point me to documentation, if it takes into account my case of having port 80 VirtualHost blocks.

I guess I could just hack my way through variations of this, backing up my server first, then restoring when it doesn't work. I hate the thought of trial and error like that.

88

If you want to use the same cert [with all names on it] on all your sites - this is NOT a requirement.

You can also issue individual certs - one for each set of names [domain + www].

certbot can create the HTTPS vhost [port 443] from an existing HTTP vhost [port 80].
[certbot will NOT create the HTTP vhost]
Note: You must have a working HTTP site before trying to secure it using HTTP authentication.

2 Likes
89

Then that's the plan. I choose to group all my domains under one certificate, fully understanding it's not a requirement. At the moment, I believe the one I'm trying to include, and one more I envision coming into existence (don't yet have the domain name yet) will be the last domains I will create.The one in focus right now is womenofaction.club.

I already own the domain name (hosted at GoDaddy) and have the DNS settings for the womenofaction.club set up. I have some files akin to hello world located on the server 45.56.67.89 (hosted at Linode) where all of my sites are hosted.

  1. I will re-include the HTTP (port 80) VirtualHost block and verify no harm to existing sites. (Previously I experienced all the sites were blocked as if they didn't exist.) If I can't get past this step, I go no further, but instead troubleshoot the problem. In other words, I'll be Bach.

  2. Assuming all is well with the existing domains, I will then run the certbot --expand -d command listing all existing domains plus the new one (actually two ... both the www and non-www versions) in comma-separated fashion.

Then test. That should do the trick. I will of course report back here.

90

Testing should be done against the staging environment, using:
--dry-run

3 Likes
91

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.