Certbot creating Self-Signed Cert for 1 Site

I am using Certbot to generate Letsencrypt certs for two sites. The first site (terranforge.com) received a self-signed certificate. The second site (ignisferrum.com) worked as intended.

My domain is:

ignisferrum.com & terranforge.com

I ran this command:

certbot-2 --apache -d ignisferrum.com
certbot-2 --apache -d terranforge.com

It produced this output:

terranforge.com: https://pastebin.com/93cRdJ4L
ignisferrum.com: https://pastebin.com/s8hB8t8G

My web server is (include version):

httpd-2.4.6-90.el7.centos.x86_64

The operating system my web server runs on is (include version):

CentOS 7 - 3.10.0-1062.18.1.el7.x86_64

My hosting provider, if applicable, is:

name.com for DNS
Linode for Server Hosting

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes. Standard SSH port, IP-restricted, Pubkey only.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 1.3.0

Apache Re-direct & VHost Rules

#####################
# DENY BY DIRECT IP #
#####################

<VirtualHost *:80>
ServerName 45.56.116.234
Redirect 403 /
ErrorDocument 403 "Sorry, direct IP access not allowed."
ServerAdmin striker@terranforge.com
UseCanonicalName Off
UserDir disabled
</VirtualHost>

###################
# TERRANFORGE.COM #
###################

<VirtualHost *:80>
ServerName terranforge.com
ServerAlias terranforge.com
ServerAdmin striker@terranforge.com
DocumentRoot "/var/www/terranforge.com"
RewriteEngine on
RewriteCond %{SERVER_NAME} =terranforge.com [OR]
RewriteCond %{SERVER_NAME} =www.terranforge.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<Directory "/var/www/terranforge.com">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

###################
# IGNISFERRUM.COM #
###################

<VirtualHost *:80>
ServerName ignisferrum.com
ServerAlias ignisferrum.com
ServerAdmin striker@terranforge.com
DocumentRoot "/var/www/ignisferrum.com"
RewriteEngine on
RewriteCond %{SERVER_NAME} =ignisferrum.com [OR]
RewriteCond %{SERVER_NAME} =www.ignisferrum.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<Directory "/var/www/ignisferrum.com">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

 ############################

# LETSENCRYPT STUFF! #

 ############################

Include /etc/httpd/conf/httpd-le-ssl.conf

Hi @striker

so your shared configuration doesn’t work as intended.

What says

apachectl -S

[root@terranforge ~]# apachectl -S
[root@terranforge ~]#

CentOS -> httpd instead of apachectl.

[root@terranforge conf]# httpd -S
[Sun Apr 19 09:15:04.297403 2020] [so:warn] [pid 12723] AH01574: module rewrite_module is already loaded, skipping
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server 45.56.116.234 (/etc/httpd/conf/httpd.conf:84)
         port 80 namevhost 45.56.116.234 (/etc/httpd/conf/httpd.conf:84)
         port 80 namevhost terranforge.com (/etc/httpd/conf/httpd.conf:97)
                 alias terranforge.com
         port 80 namevhost www.terranforge.com (/etc/httpd/conf/httpd.conf:107)
         port 80 namevhost ignisferrum.com (/etc/httpd/conf/httpd.conf:122)
                 alias ignisferrum.com
         port 80 namevhost www.ignisferrum.com (/etc/httpd/conf/httpd.conf:132)
*:443                  is a NameVirtualHost
         default server terranforge.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost terranforge.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost terranforge.com (/etc/httpd/conf/httpd-le-ssl.conf:2)
                 alias terranforge.com
         port 443 namevhost ignisferrum.com (/etc/httpd/conf/httpd-le-ssl.conf:18)
                 alias ignisferrum.com
         port 443 namevhost www.ignisferrum.com (/etc/httpd/conf/httpd-le-ssl.conf:34)
         port 443 namevhost www.terranforge.com (/etc/httpd/conf/httpd-le-ssl.conf:44)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

There

port 80 namevhost name alias same name

is duplicated. Remove these duplicated definitions.

Duplicated definitions, every combination of port and domain name must be unique.

Thanks for the command. I think I see the issue. HTTPS is loading /etc/httpd/conf.d/ssl.conf instead of /etc/httpd/conf/httpd-le-ssl.conf.

Thanks for your help. By commenting out the VirtualHost within /etc/httpd/conf.d/ssl.conf, I was able to resolve the issue. Apache was mixing up the default host with the server’s hostname and what was listed between both SSL configurations.

My re-directs are also working, however I had to recall certbot for Alternative Names:

certbot-2 --apache -d ignisferrum.com,www.ignisferrum.com
certbot-2 --apache -d terranforge.com,www.terranforge.com

My re-directs are working as below:

http://www.ignisferrum.com/ > https://ignisferrum.com
http://ignisferrum.com/ > https://ignisferrum.com
https://www.ignisferrum.com > https://ignisferrum.com

http://www.terranforge.com/ > https://terranforge.com
http://terranforge.com/ > https://terranforge.com
https://www.terranforge.com > https://terranforge.com

Thanks again for your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.