Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: wordme.app
I ran this command:
It produced this output:
My web server is (include version): Apache/2.4.56 (Debian) and Apache Tomcat/9.0.33
The operating system my web server runs on is (include version): Debian 11.9
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.10.0
I have an existing certificate which is renewed automatically, but it was issued only for my domain name. Now I want to add my mail server to the certificate:
If I do, should I update anything with SSL keys, update commands, or anything else at all? It is crucial that both my Apache and Tomcat servers run smoothly without interruption.
Apache and Tomcat uses different ports but both serves https requests
My problem is that I use secure connection for my emails but the name of my mail server is not in the certificate and therefore outlook always complains.
Thanks. Your Apache server currently responds to HTTP (port 80) requests for both domains.
There are several ways to handle this. My first suggestion is to create a dedicated VirtualHost in Apache for your mail.wordme.app domain for port 80 only.
Your script should do whatever you need to process the new cert for Tomcat and mail. This might be copying it somewhere else, or reloading Tomcat, or whatever you need to do.
When that is all done, you can test the auto-renew with
I would get a separate certificate for the mail.wordme.app domain. There is no real benefit to including both in a single certificate anymore, and this will make overall management and future networking changes much easier.
Trying to do this with an apache authenticator + virtual host as @MikeMcQ suggests is a good first step.
I opted to install another certificate and now everything works smoothly.
Just for the record, I had to create the apache2 virtualhost for the :443 manually by adding the redirect part to the :80 and the SSL to the :443. I'm not sure whether it is needed though, as I had to set the SLL for postfix and dovecot (that's what I originally wanted), but it won't hurt if mail.wordme.app brings the visitor to my homepage, so I'm fine with that.
IIRC, Certbot only needs the port 80 virtualhost to handle the authentication. I think the 443 block is not used at all, just the intended result of the process.
I think you can just put a rewrite rule in the 443 block to redirect all users to https:///wordme.app, and renewals will work fine.
Yeah, the example command I used was certonly so Certbot would not have updated the Apache config permanently.
Their root domain already had the needed changes so nothing lost by changing that from --apache to certonly --apache. The mail domain would have renewed with just the VirtualHost for port 80.
They could have done any number of things in that VirtualHost even sending out a "Wrong Page" html. Because the --apache plugin inserts the needed code on the fly it would not have mattered. There is no need to make a VHost for port 443 for mail domain and redirect to it from port 80.
It sounds like they made it harder than it needed to be but that's fine. It's good when someone takes responsibility of their own system rather than blindly relying on anyone's advice - even if it is good advice