AWS EC2 UCC SSL Certificate

#1

I have an AWS EC2 instance running on public IP where two different domain websites are being setup.

My domain are : tattvadesigns.co.in and zestatech.com

My web server is (include version): Apache 2.4.39

The operating system my web server runs on is (include version): Windows Server 2012 R2

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): YES, through RDP I login into the Virtual Machine.

I am using latest Wamserver with Virtual Host and Wordpress to setup two websites - one for tattvadesigsn.co.in and another for zestatech.com .

For SSL I need a certificate but I understand that I cannot get certificate for IP but for domain. Since I have two domains, I understand I have to get a UCC SSL certificate. Please help me with the process. I have downloaded win-acme.

#2

Hi @shashank4897,

Welcome to the community forums.

Have you checked out any of the Windows clients listed on https://letsencrypt.org/docs/client-options/ ? While you experiment, I recommend using the staging environment so that you avoid hitting rate limits.

You don’t necessarily need to get a UCC certificate. Instead, you can issue a certificate for both www.example.com and example.com and another certificate for both www.example.org and example.org.

.

#3

Thanks Phil…The client I am planning to use is in the list - win-acme.What I want to know is can a single certificate work for two different domains - tattvadesigns.co.in and zestatech. I have been searching on the Internet and trying to find that if I take a certificate with one domain - say tattvadesigns,co.in , can apache be configured to take the ssl request for the second domain - zestatech.com

#4

Hi @shashank4897

yes, it’s possible. You can create one certificate with a lot of domain names and use the same certificate with different vHosts.

But maybe it’s not the best solution.

Windows 2012 supports SNI, so you can create different Webservers with different bindings, every binding uses an own certificate.

1 Like
#5

Hi Juergen…Thanks for the guidance.

I tried creating a certificate for domain tattvadesigns.co.in using win-acme client…I am posting the entire command and response…It gives authorisation error … The webserver is Apache 2.4.39 on Windows 2012 R2 Server on AWS running Wamp 3.0 with Wordpress.
I checked on the browser to access a file using http://ipaddress/tattvadesigns/ , I am able to browse but with the command
http://tattvadesigns.co.in/ it shows the website home page. The domain tattvadesigns.com has been redirect URL to http://ipaddress/tattvadesigns.

c:\ftp\win-acme.v2.0.7.315>wacs.exe --target manual --host www.tattvadesigns.co.
in --validation filesystem --webroot “C:\wamp\www\tattvadesigns” --store pemfile
s --pemfilespath “C:\ftp” --test --verbose

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.0.7.315 (RELEASE)
[INFO] IIS not detected
[INFO] Please report issues at https://github.com/PKISharp/win-acme

[VERB] Verbose mode logging enabled
[VERB] Arguments: --target manual --host www.tattvadesigns.co.in --validation f
ilesystem --webroot C:\wamp\www\tattvadesigns --store pemfiles --pemfilespath C:
\ftp --test --verbose
[DBUG] Config folder: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.
org
[DBUG] Certificate cache: C:\ProgramData\win-acme\acme-staging-v02.api.letsencr
ypt.org\Certificates
[VERB] Settings SettingsService {ConfigPath=“C:\ProgramData\win-acme\acme-st
aging-v02.api.letsencrypt.org”, CertificatePath=“C:\ProgramData\win-acme\acme
-staging-v02.api.letsencrypt.org\Certificates”, ClientNames=[“win-acme”, “win-a
cme”], RenewalDays=55, HostsPerPage=50, ScheduledTaskRandomDelay=00:00:00, Sched
uledTaskStartBoundary=09:00:00, ScheduledTaskExecutionTimeLimit=02:00:00}
[VERB] Sending e-mails False
[DBUG] Renewal period: 55 days
[INFO] Running in mode: Unattended, Test
[INFO] Target generated using plugin Manual: www.tattvadesigns.co.in
[VERB] Checking [Manual] www.tattvadesigns.co.in
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-staging-v02.api.letsenc
rypt.org\Signer_v2
[DBUG] Send GET request to https://acme-staging-v02.api.letsencrypt.org/directo
ry
[DBUG] Send HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/n
ew-nonce
[DBUG] Loading account information from C:\ProgramData\win-acme\acme-staging-v0
2.api.letsencrypt.org\Registration_v2
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/n
ew-order
[DBUG] Send GET request to https://acme-staging-v02.api.letsencrypt.org/acme/au
thz/uzOV9TIgpXQjwB4AFk1LQ026ZCsUQkdNokwdtcsnpHI
[INFO] Authorize identifier: www.tattvadesigns.co.in
[INFO] Authorizing www.tattvadesigns.co.in using http-01 validation (FileSystem
)
[VERB] Writing file to C:\wamp\www\tattvadesigns.well-known\acme-challenge\YDP
fQhf3NpjmnqeIRZlV1-kaTrr1rY-1ktRx62r-rM0
[INFO] Answer should now be browsable at http://www.tattvadesigns.co.in/.well-k
nown/acme-challenge/YDPfQhf3NpjmnqeIRZlV1-kaTrr1rY-1ktRx62r-rM0
[WARN] Preliminary validation failed, found (null) instead of YDPfQhf3NpjmnqeIR
ZlV1-kaTrr1rY-1ktRx62r-rM0.NCffHFKn7CGHb8lTNQGzq-jtzRdGqLgK2dJ9KK8NNcI
[DBUG] Submitting challenge answer
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/c
hallenge/uzOV9TIgpXQjwB4AFk1LQ026ZCsUQkdNokwdtcsnpHI/323813703
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-staging-v02.api.letsencrypt.org/acme/ch
allenge/uzOV9TIgpXQjwB4AFk1LQ026ZCsUQkdNokwdtcsnpHI/323813703
[EROR] {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from http://www.tattvadesigns.co.in/.well-known/ac
me-challenge/YDPfQhf3NpjmnqeIRZlV1-kaTrr1rY-1ktRx62r-rM0 [184.168.131.241]: “<!
DOCTYPE HTML PUBLIC \”-//W3C//DTD HTML 4.01//EN\”\n \“http://www.w3.org
/TR/html4/strict.dtd\”>\n\n\n\n Tattvadesi"",
“status”: 403
}
[EROR] Authorization result: invalid
[DBUG] Deleting answer
[VERB] Deleting file C:\wamp\www\tattvadesigns.well-known\acme-challenge\YDPfQ
hf3NpjmnqeIRZlV1-kaTrr1rY-1ktRx62r-rM0
[VERB] Deleting folder C:\wamp\www\tattvadesigns.well-known\acme-challenge
[VERB] Deleting folder C:\wamp\www\tattvadesigns.well-known
[EROR] Create certificate failed: Authorization failed

#6

That can’t work. There is not your website, there is a frame with your website ( https://check-your-website.server-daten.de/?q=tattvadesigns.co.in ):

Your ip address:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
tattvadesigns.co.in A 184.168.131.241
Scottsdale/Arizona/US yes 2 0
AAAA yes
www.tattvadesigns.co.in C tattvadesigns.co.in yes 1 0
A 184.168.131.241
Scottsdale/Arizona/US yes

The frame:

<frame src="[http://13.233.201.28/tattvadesigns](view-source:http://13.233.201.28/tattvadesigns)" frameborder="0" />

Your DNS A entry must go directly to your 13.233.201.28.

And connecting this ip address with the correct host header must work - https://check-your-website.server-daten.de/?q=13.233.201.28&h=tattvadesigns.co.in

Result: Your /.well-known/acme-challenge sends a http status 200 checking a not existing file:

Domainname Http-Status redirect Sec. G
http://tattvadesigns.co.in/
184.168.131.241 200 0.800 H
http://www.tattvadesigns.co.in/
184.168.131.241 200 0.873 H
https://tattvadesigns.co.in/
184.168.131.241 200 1.987 N
Certificate error: RemoteCertificateNameMismatch
https://www.tattvadesigns.co.in/
184.168.131.241 200 1.983 N
Certificate error: RemoteCertificateNameMismatch
http://tattvadesigns.co.in/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
184.168.131.241 200 0.530
Visible Content: Tattvadesign Store
http://www.tattvadesigns.co.in/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
184.168.131.241 200 0.403
Visible Content: Tattvadesign Store

There is a http status 404 - Not Found expected.

You can’t create a certificate via http-01 validation if you use such a “frame redirect”. And a certificate would not work, if you use src=“ip-address”.

3 Likes