Adding names to existing certificate

RedmansWorld · November 2, 2021, 2:37pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: troubleinutopia.com

My web server is (include version): Apache 2.4.46

The operating system my web server runs on is (include version): Ubuntu 20.4

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Hi,

This is a very basic question but I am new to setting up and running my server.

I have set up the domain troubleinutopia.com and got the certificate set up for that. However I also have set up another domain trbl.site which I have set only to be able to use a shorter domain name.

I have set this up in my virtualhosts file with a 301 redirect.
<VirtualHost *:80>
ServerName trbl.site
ServerAlias www.trbl.site
Redirect 301 / http://troubleinutopia.com

I set up the original certificate by running certbot --apache

If I run this again I see all correct names listed in the output "Which names would you like to activate HTTPS for?"
1: trbl.site
2: www.trbl.site
3: troubleinutopia.com
4: www.troubleinutopia.com

My question is, can I just proceed with this, selecting all the domains here, or should I just select the new ones, or is there a better command I should run to achieve having a certificate for all?

There are some similar questions on this forum, but they did not seem to match my exact question.

Many thanks

Francis

griffin · November 2, 2021, 4:04pm

Welcome to the Let's Encrypt Community, Francis

You have many valid options here. Personally, I recommend keeping all the domain names under one certificate since the new site is just an alias of the old site. As long as they all share a common webroot directory for their content, which I'm sure they do here, you should have no trouble.

Try this:

sudo certbot certonly --apache -d "troubleinutopia.com,www.troubleinutopia.com,trbl.site,www.trbl.site" --dry-run

If that works, use this:

sudo certbot --cert-name troubleinutopia.com --apache -d "troubleinutopia.com,www.troubleinutopia.com,trbl.site,www.trbl.site"

rg305 · November 2, 2021, 5:11pm

Have you made (or will you be making) any considerations for the new secured site connections?
https://trbl.site/
https://www.trbl.site/

I'm pretty sure the --apache plugin for certbot won't be able to create a working secure vhost config from a config that forwards everything to another site.
It might try...
Removing the forwarding and inserting the cert.
But which DocumentRoot would it use?

RedmansWorld · November 2, 2021, 5:32pm

Thanks for the reply and the welcome,

The dry run came out successful. The domains have the same shared root – although I have not specified that for the second domain – perhaps I should?

<VirtualHost *:80>
    ServerAdmin francis@troubleinutopia.com
    ServerName troubleinutopia.com
    ServerAlias www.troubleinutopia.com
    DocumentRoot /var/www/html/
 <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.troubleinutopia.com [OR]
RewriteCond %{SERVER_NAME} =troubleinutopia.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
  ServerName trbl.site
  ServerAlias www.trbl.site
  Redirect 301 / http://troubleinutopia.com
</VirtualHost>

RedmansWorld · November 2, 2021, 5:32pm

Thanks for the reply! The both use the same vhosts, and same document root – this is my current config:

<VirtualHost *:80>
ServerAdmin [francis@troubleinutopia.com](mailto:francis@troubleinutopia.com)
ServerName [troubleinutopia.com](http://troubleinutopia.com/)
ServerAlias [www.troubleinutopia.com](http://www.troubleinutopia.com/)
DocumentRoot /var/www/html/
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =[www.troubleinutopia.com](http://www.troubleinutopia.com/) [OR]
RewriteCond %{SERVER_NAME} =[troubleinutopia.com](http://troubleinutopia.com/)
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
ServerName trbl.site
ServerAlias www.trbl.site
Redirect 301 / [http://troubleinutopia.com](http://troubleinutopia.com/)
</VirtualHost>

rg305 · November 2, 2021, 5:36pm

That is incorrect.
The short name vhost config has no document root statement.
It forwards to the other name and that longer name has a document root and thus it seems like both names produce the same content - but one just hands it to the other.

griffin · November 2, 2021, 6:01pm

Now just use the second command I gave you then fix your forwarding via @rg305's guidance.

rg305 · November 2, 2021, 6:20pm

The problem is that in the end you will have two HTTP vhosts and only one HTTPS vhost.

system · December 2, 2021, 6:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.