This seems to be a common problem, and apparently most people give up and buy an IP address for each individual domain. How can virtual domains be so broken for years?
I go to quantum-equities.com and get: Bad Request Your browser sent a request that this server could not understand. Reason: You’re speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.
So I go to https://quantum-equities.com and get: Your connection is not secure The owner of quantum-equities.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
I check the cert it’s using and it’s the server’s local self-signed cert at /etc/pki/tls/certs/localhost.crt rather than the LetsEncrypt cert for this site.
Huh? I’ve set the cert properly and it exists there. I’ve carefully walked down
/etc/letsencrypt/archive/quantum-equities.com/* and granted Apache group permission to enter the directories and read files. I’ve disabled selinux. There are no errors in /var/log/httpd/ssl_error_log
This is probably because of the <VirtualHost *>. It doesn't specify a port, so it matches both HTTP (port 80) and HTTPS (port 443). You've therefore enabled HTTPS on port 80 as well as port 443, which is why http://quantum-equities.com doesn't work. Use <VirtualHost *:443> instead.
EDIT: to clarify, you need a <VirtualHost *:443> for the HTTPS version of your site, and a separate <VirtualHost *:80> for the HTTP version (even if it's just a redirect).
This is probably because of a conflict between different VirtualHosts in your Apache configuration. Try something like this to help identify the problem:
All I had to do was edit /etc/httpd/conf.d/ssl.conf and comment out everything to do with {Virtualhost} there. Using {VirtualHost *} in my file works just fine. https://quantum-equities.com
Yes, your HTTPS site is working fine now, and if you’re happy with just that, that’s great but http://quantum-equities.com/ is still broken - anyone visiting it will receive the same 400 error as before. You might want to fix that and add a redirect instead.
Right, it doesn’t work because of the <VirtualHost *>. The server is listening for HTTPS on port 80, rather than HTTP. You can confirm this by visiting https://quantum-equities.com:80 to connect to port 80 over HTTPS.
So you want to change your <VirtualHost *> to <VirtualHost *:443>, and add a new <VirtualHost *:80> just for HTTP, with no SSL directives in it.
Also…
I don’t think you need the :443 in the first RewriteRule
and the second one doesn’t seem to do anything useful… perhaps you meant %{SERVER_NAME} rather than %{HTTP_HOST}?
Hmm... probably not. If you remove it, you can test if renewal still works correctly by using certbot renew --dry-run. Usually it should, unless the rest of your configuration is very unusual.
It extracts the information from your existing certificates
And you only need to run it once (per cron or timer run); it will examine all your certificates and determine automatically which ones need to be renewed. You also don’t need to specify --apache as the plugin that was used is also remembered. This information is stored in /etc/letsencrypt/renewal.
You shouldn't try to change the plugin when renewing with certbot renew; if you're not happy with the plugin that was used before, you can renew with certonly --force-renew and change the plugin at that time.
certonly never restarts Apache because it doesn't use an installer at all. In order to use an installer plugin, you would need to have used the (default) run command instead of certonly. (The meaning of certonly is "I only want the certificate, I don't want Certbot to install it for me".)
If you want to restart Apache when using a different plugin and/or using certonly, you can add a --deploy-hook option (which doesn't need to be respecified every time) for a service apache reload or similar command.
Oh, I was told to use certonly, but maybe that was for troubleshooting.
I've heard back from my registrar, and I don't understand why delphi-real-estate.com was represented as DNSSEC (as opposed to the others), but to solve it he just turned DNSSEC on. His explanation isn't clear, but I now have my delphi cert and all domains are now cranking.
"_After reviewing your domain configurations, The domain was not signed with DNSSEC, even though you had your Delegation Signer Records. By turning on DNSSEC is the DNS Configuration panel, it added the DNSKEY and RRSIGs to the domain. And synchronized properly. I was able to verify that DNSSEC is working through verisignlab's DNSSEC debugger, you can also check with the link below. _
_DNSSEC Analyzer - delphi-real-estate.com_"
Somehow he's enabled DNSSEC -- I'd thought that DNSSEC required the domain's cert, but I haven't gotten to that part yet so maybe I'm wrong. The certbot renew --dry-run now works perfectly. I've removed the cron entry and made a systemd timer for it:
CentOS7's certbot package comes with a certbot-renew.service and certbot-renew.timer, but both are inadequate to me. So in /usr/local/lib/systemd/systemd I made a letsencrypt.timer (above) and letsencrypt.service. The .service must have the same name as the .timer, and you 'systemctl enable/start' the timer, not the service. Systemd timers are intended to eventually replace cron's.
I've now changed all the certs to rely on the Apache plugin, thanks Schoen.
Nice, thanks Mitchell. Your config actually redirects www. correctly, as opposed to mine. I've converted everything to your format. There is some problem with the CustomLog entry but I'll figure that out.
Sorry, I did mean using certonly as well, so I probably should have said certbot certonly --force-renew
Nope, DNSSEC is independent of certificates. You can have a certificate for a domain that has never used DNSSEC, and you can have DNSSEC for a domain that has never used a certificate.
Certificates confirm a site's public key for TLS connections, while DNSSEC cryptographically confirms the validity of any DNS entry, most importantly reflecting the site's IP address. So they are typically providing different information and also issued by different authorities.
There are a couple of sort-of interactions between them:
If your DNSSEC records are invalid or don't verify, Let's Encrypt won't issue you a new certificate until the problem is fixed. However, you aren't required to use DNSSEC at all in order to get a certificate.
There's another protocol called DANE if you want to declare public key information directly in DNS records, which is used in conjunction with DNSSEC. DNS-based Authentication of Named Entities - Wikipedia However, the use of DANE is also optional and it is not very widely supported on the client side yet.