Certbot no longer works

Okay, good, let's try getting a fresh production cert now:

sudo certbot --apache --cert-name www.newstarmotel.dyn-o-saur.com -d www.newstarmotel.dyn-o-saur.com -d newstarmotel.dyn-o-saur.com

As before, should get prompted about adding a domain name and confirm you want that

Please show output of that command

And, show a fresh sudo apache2ctl -t -D DUMP_VHOSTS after that too

3 Likes

I think it worked, if you can check on your end.

You are updating certificate www.newstarmotel.dyn-o-saur.com to include new
domain(s):

You are also removing previously included domain(s):
(None)

Did you intend to make this change?


(U)pdate certificate/(C)ancel: u
Renewing an existing certificate for www.newstarmotel.dyn-o-saur.com and newstarmotel.dyn-o-saur.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.newstarmotel.dyn-o-saur.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/www.newstarmotel.dyn-o-saur.com/privkey.pem
This certificate expires on 2024-10-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for www.newstarmotel.dyn-o-saur.com to /etc/apache2/sites-enabled/newstarmotel-le-ssl.conf
Successfully deployed certificate for newstarmotel.dyn-o-saur.com to /etc/apache2/sites-enabled/newstarmotel-le-ssl.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.


If you like Certbot, please consider supporting our work by:


One more thing: on gillab.dyndns-wiki.com and newstarmotel.homelinux.com, the www extensions does not work. Here's me le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName gilllab.dyndns-wiki.com
ServerAlias www.gilllab.dyndns-wiki.com
DocumentRoot /var/www/GillLabwebsite
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =www.gilllab.dyndns-wiki.com [OR]
# RewriteCond %{SERVER_NAME} =gilllab.dyndns-wiki.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

SSLCertificateFile /etc/letsencrypt/live/gilllab.dyndns-wiki.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gilllab.dyndns-wiki.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Yes, your other domains have the same kind of problem

But, let's finish making sure the prior steps worked.

3 Likes

Lastly, is there anyway to clean up the obsolete certificates on crt.sh?

No, certs are logged in the public Certificate Transparency logs. crt.sh is just one tool that displays the CT log info. This log is an essential part of auditing to monitor for mis-issuance and such. These are "public" certs after all :slight_smile:

4 Likes
*:443 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
port 443 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
alias www.gilllab.dyndns-wiki.com
port 443 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux-le-ssl.conf:2)
alias www.newstarmotel.homelinux.com
port 443 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf:2)
alias www.newstarmotel.dyn-o-saur.com
port 443 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties-le-ssl.conf:2)
alias www.nsmrentalproperties.from-ca.com

*:80 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
port 80 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
alias www.gilllab.dyndns-wiki.com
port 80 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux.conf:1)
alias www.newstarmotel.homelinux.com
port 80 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel.conf:1)
alias www.newstarmotel.dyn-o-saur.com
port 80 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties.conf:1)
alias www.nsmrentalproperties.from-ca.com

Okay. Good. The dyn-o-saur looks good. There were no "extra" VirtualHosts for port 80 added anywhere. I was pretty sure there would not be but wanted to be sure.

The first problem with gilllab.dyndns-wiki.com (which you omitted one l by the way) is there is no DNS entry for the www subdomain. You could need to get that setup first.

nslookup www.gilllab.dyndns-wiki.com
** server can't find www.gilllab.dyndns-wiki.com: NXDOMAIN

nslookup gilllab.dyndns-wiki.com
Address: 172.118.22.205

I will address newstarmotel homelinux in my next post. It is slightly different than this gilllab issue and your dyn-o-saur issue.

3 Likes

I forgot to include the wildcard on the dyndns.org server for www. I think it should work now.

So, for gilllab it is similar to what you did for dyn-o-saur.

You could test first with this

sudo certbot certonly --apache --dry-run --cert-name gilllab.dyndns-wiki.com -d gilllab.dyndns-wiki.com -d www.gilllab.dyndns-wiki.com

if that works do this

sudo certbot --apache --cert-name gilllab.dyndns-wiki.com -d gilllab.dyndns-wiki.com -d www.gilllab.dyndns-wiki.com
2 Likes

I haven't forgotten about your homelinux domain. Just waiting to see result from gilllab.

I don't want to get too far out in front in case something unusual happens

2 Likes

gilllab.dyndns-wiki.com and www.gilllab.dyndns-wiki.com are now fine as is, without creating another certificate. Or, should I combine them still like before?

You should make a single cert that includes both names. Both domain names are handled in the same VirtualHost so you need a cert that includes both.

HTTPS requests to the www subdomain are failing now because the cert does not include that name. See

https://www.ssllabs.com/ssltest/analyze.html?d=www.gilllab.dyndns-wiki.com&hideResults=on

4 Likes

*:443 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
port 443 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
alias www.gilllab.dyndns-wiki.com
port 443 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux-le-ssl.conf:2)
alias www.newstarmotel.homelinux.com
port 443 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf:2)
alias www.newstarmotel.dyn-o-saur.com
port 443 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties-le-ssl.conf:2)
alias www.nsmrentalproperties.from-ca.com
*:80 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
port 80 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
alias www.gilllab.dyndns-wiki.com
port 80 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux.conf:1)
alias www.newstarmotel.homelinux.com
port 80 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel.conf:1)
alias www.newstarmotel.dyn-o-saur.com
port 80 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties.conf:1)
alias www.nsmrentalproperties.from-ca.com

Ok. I combined www domains for gilllab.dyndns-wiki.com and nsmrentalproperties.from-ca.com.

VirtualHost configuration:
*:443 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
port 443 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
alias www.gilllab.dyndns-wiki.com
port 443 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux-le-ssl.conf:2)
alias www.newstarmotel.homelinux.com
port 443 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf:2)
alias www.newstarmotel.dyn-o-saur.com
port 443 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties-le-ssl.conf:2)
alias www.nsmrentalproperties.from-ca.com
*:80 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
port 80 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
alias www.gilllab.dyndns-wiki.com
port 80 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux.conf:1)
alias www.newstarmotel.homelinux.com
port 80 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel.conf:1)
alias www.newstarmotel.dyn-o-saur.com
port 80 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties.conf:1)
alias www.nsmrentalproperties.from-ca.com

1 Like

Excellent. Those two look good.

The homelinux cert can be modified to include both names in the same way.

The difference with this domain is that you have a cert for its www subdomain. But, it is not used by Apache for HTTPS requests to that www name.

So, once you combine the names into one cert like you did for the others you can probably delete the "extra" one. Could you have used this www cert somewhere else? Like copying it to some other server? Or somewhere for a mail server or similar?

I'm guessing it was just a mistake in which case this deletes the local cert files and the Certbot renewal profile for it

sudo certbot delete --cert-name www.newstarmotel.homelinux.com

If you are not sure about this let us know after you get the new cert with both names.

4 Likes

Ok. Done:

*:443 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
port 443 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
alias www.gilllab.dyndns-wiki.com
port 443 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux-le-ssl.conf:2)
alias www.newstarmotel.homelinux.com
port 443 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf:2)
alias www.newstarmotel.dyn-o-saur.com
port 443 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties-le-ssl.conf:2)
alias www.nsmrentalproperties.from-ca.com
*:80 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
port 80 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
alias www.gilllab.dyndns-wiki.com
port 80 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux.conf:1)
alias www.newstarmotel.homelinux.com
port 80 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel.conf:1)
alias www.newstarmotel.dyn-o-saur.com
port 80 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties.conf:1)
alias www.nsmrentalproperties.from-ca.com

One last question:

This is the command I use to get my certificate for a domain:

sudo certbot --apache

It gives a list to choose from of virtual hosts (with and without the www). Is there a more direct command for a particular domain?

After that, I will from now on link the corresponding www domain to the certificate obtained from the command above.

1 Like

If you setup a new VirtualHost with a ServerName and ServerAlias you just do

sudo certbot --apache -d (domain1) -d (domain2)

With a -d for each of the names in that VirtualHost (often the base name and www subdomain)

You don't use that format to "renew" an existing cert. You use the "renew" command for that

To test renewal of all your existing cert (profiles) do:

sudo certbot renew --dry-run

or testing renewal of one cert / profile:

sudo certbot renew --dry-run --cert-name (name)

Where (name) comes from the certbot certificates list

3 Likes

I appreciate your time and help, Mike!

5 Likes