Blogs for domain and sub-domain not getting https


#1

Please see the info below and looks like I am missing something or next steps? Thanks –

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: thegioitours.com

I ran this command: ./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns-01 -d *.thegioitours.com -d thegioitours.com

And then: ./certbot-auto certificates

It produced this output:

Found the following certs:
Certificate Name: thegioitours.com
Domains: *.thegioitours.com thegioitours.com
Expiry Date: 2018-07-18 20:05:55+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/thegioitours.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thegioitours.com/privkey.pem

My web server is (include version): Apache

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Hi @oneV,

“certonly” means “only obtain the certificate, don’t install it”. So you still have to install your new certificate in your Apache configuration yourself in this case.


#3

Thanks @schoen - please teach me the command to install based on my info previously provided?


#4

If you want Certbot to try install the new certificate for you based on existing Apache virtual hosts, you should use something like

./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -a -manual --preferred-challenges dns-01 -d "*.thegioitours.com" -d thegioitours.com -i apache

Otherwise, you’ll have to edit your configuration files in /etc/apache2 yourself.


#5

I copied and pasted your command and it said:
certbot: error: argument -a/–authenticator: expected one argument

Where should I correct? Thanks


#6

I made a typo with -manual. It should be -a manual, not -a -manual. Sorry about that.


#7

It ran and asked to keep the existing certificates and then shown this:

No vhost exists with servername or alias for domain *.thegioitours.com. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config.

Sorry for many questions and thanks for your help.


#8

How are you expecting to use the wildcard in terms of your Apache configuration? Did you just want to add specific virtual hosts with specific subdomain names without having to get a new certificate, or are you planning to a have default or wildcard virtual host that you use together with a wildcard DNS entry? Or some other approach?


#9

I plan to put together a multisite wordpress blog with thegioitours.com as main site and *.thegioitours.com as sub-domain site and I want all main and sub-domain sites on that wordpress multisite with https.
Not sure if it answers your questions but that’s the use case.


#10

Could you run this command?

sudo apachectl -t -D DUMP_VHOSTS


#11

I did - do I need to post the output?


#12

Just in case

VirtualHost configuration:
*:80 tgts-vm.c.tgts-20180418.internal (/etc/apache2/sites-enabled/000-default.conf:1)


#13

One of my colleagues suggested

make a copy of 000-default.conf in sites-available, run sudo a2ensite name-of-new-conf-file (you can also just create the symlink to sites-enabled manually), and add ServerName thegioitours.com and ServerAlias *.thegioitours.com to the vhost.

What did you do on this machine to set up WordPress?


#14

I just signed up Google Cloud, selected Wordpress Multisite deployment without any modifications, except passwords.


#15

@bmw, could you help out with this?


#16

Just an FYI: https://crt.sh/?q=%.thegioitours.com
There have been six certs registered that contain “*.thegioitours.com” and two of them are from CloudFlare.


#17

@joohoi, using the power of time zones, you might be able to help out with this before me. If not, no worries, I can try and provide instructions tomorrow morning.


#18

I tried to use Cloudflare but did not know there were certificates issued.


#19

Thanks and appreciate your help.

My goal is to setup a multisite wordpress with multiple sub-domains (some now and may add later) and all will have https either now or when add later.


#20

A bit of context first:

Apache supports running multiple virtual hosts on the same server simultaneously. It is able to select the correct VirtualHost (and hence the correct settings from filesystem path to logging settings) for serving this request by looking at the ServerName and ServerAlias settings inside of the VirtualHost configuration blocks. If no matching names are found, it will serve you the request using the first VirtualHost block it can find in its configuration (there is some magic involved with creating the effective in-memory configuration tree, but that’s irrelevant here). This is also how Certbot handles the VirtualHost discovery.

What the Certbot Apache plugin does when installing a certificate is:

  1. It reads your configuration and searches for ServerName or ServerAlias directives that match the domain names in the certificate that’s being installed.
  2. If multiple matching VirtualHosts are found, Certbot will ask the user to pick one of them.
  3. Certbot then proceeds copying the selected VirtualHost configuration to a new file that will become the HTTPS VirtualHost with a proper TLS configuration.

The issue that you are facing currently, is that default Apache installation doesn’t have any ServerName or ServerAlias configured and Certbot isn’t able to find one to configure for you.

Solution for this is rather simple though; Like suggested in the comment above, adding a ServerName and ServerAlias to your existing configuration should make the existing VirtualHost discoverable by Certbot.

The easiest way would be just to edit /etc/apache2/sites-enabled/000-default.conf directly, adding lines:

ServerName thegioitours.com
ServerAlias *.thegioitours.com

inside the <VirtualHost> - block.