Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: pdxwater.org
I ran this command:pdxwater.org -d www.pdxwater.org
It produced this output:pdxwater.org and www.pdxwater.org
Successfully received certificate.
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is: digitalocean.com
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): pm2
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0
1 Like
Can you describe the specific problem further?
Your site is using certificates although a bit unusually.
When I connect using pdxwater.org I see the cert you created with just that name. See here
But if I connect using www.pdxwater.org I see the cert you created with both your apex and www names. See here (note the SAN list)
That is ok since the cert contains the name in the requested URL. Although it indicates you could improve your Apache and certbot config.
3 Likes
Hi, thank you for your reply. I'm getting a warning: potential security risk when I visit both pdxwater.org and www.pdxwater.org
I believe that my config may be causing the problem as I adjusted it to match another config for matthewalbertcole.com without fully understanding the changes I had made.
2 Likes
Let's not change your config just yet. I now see your previous thread and I think best not to repeat those issues. As noted, I don't see a problem - just something less than ideal.
If you clicked the two 'here' links I provided, you can see your certs test fine. In fact, they use the same "chain" as this forum site uses.
Was there any other text with the 'potential security risk' message? What if you click the icon where that appears - do other details display?
What program is showing that message? A browser? What version and oper sys.
2 Likes
I don't see any warning now. I don't understand what happened. I swear it wasn't working a couple hours ago, and I didn't change anything.
2 Likes
rg305
January 15, 2022, 6:40pm
6
Something is not quite right (yet).
Please show:certbot certificatesapachectl -t -D DUMP_VHOSTS
1 Like
root@nodejs-s-1vcpu-1gb-nyc3-01:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: matthewalbertcole.com
Serial Number: 43f4f41e3e9b3ee991fabca5baf754fbd0f
Key Type: RSA
Domains: matthewalbertcole.com www.matthewalbertcole.com
Expiry Date: 2022-04-15 08:46:25+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/matthewalbertcole.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/matthewalbertcole.com/privkey.pem
Certificate Name: pdxwater.org-0001
Serial Number: 4ec73b8941a86b39d5a0087d72bbf2807e1
Key Type: RSA
Domains: pdxwater.org
Expiry Date: 2022-04-15 12:58:51+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/pdxwater.org-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pdxwater.org-0001/privkey.pem
Certificate Name: pdxwater.org
Serial Number: 48ea5386612295e99294d270b87c8e600e5
Key Type: RSA
Domains: pdxwater.org www.pdxwater.org
Expiry Date: 2022-04-15 10:51:31+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/pdxwater.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pdxwater.org/privkey.pem
Certificate Name: www.matthewalbertcole.com
Serial Number: 421a0cd44b5f5f69d0dd91f7bd96d2cc4cb
Key Type: RSA
Domains: www.matthewalbertcole.com
Expiry Date: 2022-04-15 12:58:56+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.matthewalbertcole.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.matthewalbertcole.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@nodejs-s-1vcpu-1gb-nyc3-01:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
port 443 namevhost www.matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
port 443 namevhost matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:12)
port 443 namevhost www.pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf:2)
port 443 namevhost pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf:12)
*:80 is a NameVirtualHost
default server matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com.conf:1)
port 80 namevhost matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com.conf:1)
alias www.matthewalbertcole.com
port 80 namevhost pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org.conf:1)
alias www.pdxwater.org
1 Like
rg305
January 15, 2022, 10:17pm
8
This cert has both names on it:
Certificate Name: pdxwater.org
Domains: pdxwater.org
www.pdxwater.org
This cert has only one of the two names [and is unnecessary]:
Certificate Name: pdxwater.org-0001
Domains: pdxwater.org
This cert has both names on it:
Certificate Name: matthewalbertcole.com
Domains: matthewalbertcole.com
www.matthewalbertcole.com
This cert has only one of the two names [and is unnecessary]:
Certificate Name: www.matthewalbertcole.com
Domains: www.matthewalbertcole.com
1 Like
rg305
January 15, 2022, 10:21pm
9
Although these files do contain both names, the distance between the names is worth investigating:
port 443 namevhost www.matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
port 443 namevhost matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:12)
port 443 namevhost www.pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf:2)
port 443 namevhost pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf:12)
Let's have a look at both of those files:/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf
1 Like
root@nodejs-s-1vcpu-1gb-nyc3-01:/etc/apache2/sites-enabled# cat matthewalbertcole.com-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root@matthewalbertcole.com
DocumentRoot /var/www/matthewalbertcole.com
ServerName www.matthewalbertcole.com
Redirect permanent / https://matthewalbertcole.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/matthewalbertcole.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/matthewalbertcole.com/privkey.pem
</VirtualHost>
<VirtualHost *:443>
ServerAdmin root@matthewalbertcole.com
DocumentRoot /var/www/matthewalbertcole.com
ServerName matthewalbertcole.com
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLProxyEngine on
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyRequests Off
ProxyPreserveHost On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
Timeout 600
ProxyTimeout 600
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1
SSLCertificateFile /etc/letsencrypt/live/matthewalbertcole.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/matthewalbertcole.com/privkey.pem
</VirtualHost>
</IfModule>
root@nodejs-s-1vcpu-1gb-nyc3-01:/etc/apache2/sites-enabled# cat pdxwater.org-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root@pdxwater.org
DocumentRoot /var/www/pdxwater.org
ServerName www.pdxwater.org
Redirect permanent / https://pdxwater.org
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/pdxwater.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pdxwater.org/privkey.pem
</VirtualHost>
<VirtualHost *:443>
ServerAdmin root@pdxwater.org
DocumentRoot /var/www/pdxwater.org
ServerName pdxwater.org
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLProxyEngine on
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyRequests Off
ProxyPreserveHost On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
ProxyRequests Off
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
Timeout 600
ProxyTimeout 600
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1
SSLCertificateFile /etc/letsencrypt/live/pdxwater.org-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pdxwater.org-0001/privkey.pem
</VirtualHost>
</IfModule>
1 Like
rg305
January 15, 2022, 10:31pm
11
The only change I would make is:
SSLCertificateFile /etc/letsencrypt/live/pdxwater.org-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pdxwater.org-0001/privkey.pem
TO:
SSLCertificateFile /etc/letsencrypt/live/pdxwater.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pdxwater.org/privkey.pem
Then delete the two unnecessary certs:certbot delete --cert-name pdxwater.org-0001certbot delete --cert-name www.matthewalbertcole.com
2 Likes
OK done. Did that do the trick? Seems to have not broken anything at least.
1 Like
system
February 15, 2022, 1:09pm
13
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
