Can't install certificate on subdomain

Hello,

I have 2 virtual private servers both running Apache.

VPS #1 uses my domain (lanceyarema.com)
VPS #2 uses a sub domain (testing.lanceyarema.com)

I setup Let's Encrypt on VPS #1 first, and it works well. When I set this up, I added the subdomain to the list so it would generate a cert.

I have tried using Let's encrypt on VPS #2 with using the "testing" subdomain, but it will not install the certificate.

I think the subdomain is trying to use an expired certificate from VPS #1, and I can't get rid of it.

Here is the error when running certbot on VPS #2:

The following errors were reported by the server:

**Domain: testing.lanceyarema.com **

Type: unauthorized Detail: Invalid response from http://testing.lanceyarema.com/.well-known/acme-challenge/fN9j1p_xs0IOJZ-XaJZNWeEbn6dtngDljYNQOBg5bhE [192.81.131.129]: "\r\n\r\n\r\n<html class="no-js" la"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

you also get this displayed in the web browser: This server could not prove that it is testing.lanceyarema.com ; its security certificate is from lanceyarema.com . This may be caused by a misconfiguration or an attacker intercepting your connection.

Any ideas as to why this isn't working? Many thanks for any help!

2 Likes

@lc317 Welcome to the community!

The error message shows an IP address but I do not see one now. There is no DNS A record for your testing domain name. See:
https://toolbox.googleapps.com/apps/dig/#A/

Can check VPS 2 IP address with:

curl -4 ifconfig.co
curl -6 ifconfig.co

Your main site has both IPv4 and IPv6.

The error message you show is an IPv4 IP so you probably only had an A record for testing at that time. If you had an AAAA record too Lets Encrypt server would have used that instead.

If you sort that out and still have problems post back here. Can't do much without that working.

3 Likes

VPS #2 may need some review.
On which please show the output of:
sudo apachectl -t -D DUMP_VHOSTS

3 Likes

[Wed Nov 10 16:11:45.486970 2021] [core:error] [pid 6232] (EAI 2)Name or service not known: AH00547: Could not resolve host name *.80 -- ignoring!

[Wed Nov 10 16:11:45.487242 2021] [core:error] [pid 6232] (EAI 2)Name or service not known: AH00547: Could not resolve host name *.80 -- ignoring!

AH00558: apache2: Could not reliably determine the server's fully qualified doma in name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress th is message

VirtualHost configuration:
*:443 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/lanceyarema.com.co nf:11)
port 443 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/lanceyarema.co m.conf:11)
port 443 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/lanceyarema.co m.conf:26)
AH00180: WARNING: MaxRequestWorkers of 40 exceeds ServerLimit value of 24 server s, decreasing MaxRequestWorkers to 24. To increase, please see the ServerLimit d irective.

1 Like

Let's have a look at this file:

2 Likes

thanks for helping out!

here is VPS #1 (i.e. lanceyarema.com)

Conf 1 (wordpress.conf)

Directory /var/www/wordpress/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
<VirtualHost *:80>
    ServerName lanceyarema.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/wordpress/
    ErrorLog /var/log/apache2/wordpress/error.log
    CustomLog /var/log/apache2/wordpress/access.log combined
    <files xmlrpc.php>
    order allow,deny
    deny from all
    </files>
RewriteEngine on
RewriteCond %{SERVER_NAME} =lanceyarema.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Conf 2 (wordpress-le-sssl.conf)

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName lanceyarema.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/wordpress/
    ErrorLog /var/log/apache2/wordpress/error.log
    CustomLog /var/log/apache2/wordpress/access.log combined
    <files xmlrpc.php>
    order allow,deny
    deny from all
    </files>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/lanceyarema.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lanceyarema.com/privkey.pem
</VirtualHost>
</IfModule>



<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName lanceyarema.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/wordpress/
    ErrorLog /var/log/apache2/wordpress/error.log
    CustomLog /var/log/apache2/wordpress/access.log combined
    <files xmlrpc.php>
    order allow,deny
    deny from all
    </files>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/lanceyarema.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lanceyarema.com/privkey.pem
</VirtualHost>
</IfModule>

here is VPS #2 (i.e. testing.lanceyarema.com)

<VirtualHost *.80>
ServerAdmin webmaster@example.com
     ServerName testing.lanceyarema.com
     ServerAlias testing.lanceyarema.com
     DocumentRoot /var/www/html/logs
     ErrorLog /var/www/html/logs/error.log
     CustomLog /var/www/html/logs/access.log combined
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/testing.lanceyarema.com/fullchain.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/testing.lanceyarema.com/privkey.pem
</VirtualHost>

<VirtualHost *.80>
ServerAdmin webmaster@example.com
     ServerName testing.lanceyarema.com
     ServerAlias testing.lanceyarema.com
     DocumentRoot /var/www/html/logs
     ErrorLog /var/www/html/logs/error.log
     CustomLog /var/www/html/logs/access.log combined
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/testing.lanceyarema.com/fullchain.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/testing.lanceyarema.com/privkey.pem

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication

    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    # Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

That's redundant.

That's redundant.

That's redundant.

4 Likes

That's redundant.
[name:port overlap/conflict]

4 Likes

I corrected the redundant entries in the vhosts file, restarted apache, and get the same error when trying to use certbot:

certbot -d testing.lanceyarema.com -v

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for testing.lanceyarema.com
Performing the following challenges:
http-01 challenge for testing.lanceyarema.com
Waiting for verification...
Challenge failed for domain testing.lanceyarema.com
http-01 challenge for testing.lanceyarema.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: testing.lanceyarema.com
Type: unauthorized
Detail: Invalid response from https://testing.lanceyarema.com/ [2600:3c01::f03c:91ff:fe67:a604]: "\n<html lang="en-US" class="no-js">\n\n\t<meta charset="UTF-8">\n\t<meta name="viewport" content="width=device-wi"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

You said you removed duplicates but it looks like the above Vhost needs improvement. You should include the same lines you use for the port 80 server too. Well, you might not want the logs the same way but at least the rest.

     ServerAdmin webmaster@example.com
     ServerName testing.lanceyarema.com
     ServerAlias testing.lanceyarema.com
     DocumentRoot /var/www/html/logs
     ErrorLog /var/www/html/logs/error.log
     CustomLog /var/www/html/logs/access.log combined
3 Likes

Please show the updated output of:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.