My domains are :
nyqm.org and morningsidemeeting.org
I ran this command:
browse to https://nyqm.org
It produced this output:
Apache returned morningsidemeeting.org index page
My web server is (include version):
Server version: Apache/2.4.7 (Ubuntu)
The operating system my web server runs on is (include version):
Linux version 4.18.16-x86_64-linode118 (maker@build.linode.com) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1)) #1 SMP PREEMPT Mon Oct 29 15:38:25 UTC 2018
My hosting provider, if applicable, is:
linode
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): # certbot-auto --version
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
certbot 0.38.0
The problem:
My web server setup was working fine until I installed ssh and used certbot-auto to generate certs and setup my config files. The certificate files are the same for both web domains, since the domains share the same IP address.
After this, I was getting a different domain than the one requested by the browser, e.g. browsing to https://nyqm.org returned the front page for https://morningsidemeeting.org, and sometimes the opposite, but never consistently correctly.
So after days of searching and trying various configuration of the Apache conf file, all with no joy, I finally discovered that it is necessary to have the following in your Apache config file, right at the top:
apache configuration for nyqm.org
with www.nyqm.org, www.morningsidemeeting.org
with ssl :443 and non-ssl at :80
require strict server name indicator ssl checking to avoid
getting the wrong server when there are multiple domains sharing the same IP address:
SSLStrictSNIVHostCheck on
I am submitting this information so that others who find themselves similarly stumped can find a solution online, and also to encourage the certbot-auto team to have cert-bot routinely add this directive to the Apache configuration as part of the config files edit that cert-bot does.