Certbot with Apache - certonly obtains certificates but doesn't install them

Please fill out the fields below so we can help you better.

My domain is: createmedia.co.za , createmediacompany.com

I ran this command: certbot certonly --cert-name createmedia.co.za -d createmediacompany.com ,www.createmediacompany.com

It produced this output: successful install - Then when I go to the site it doesn’t show https secure. If I run certbot certificates it shows this.

Found the following certs:
Certificate Name: createmedia.co.za-0001
Domains: createmedia.co.za
Expiry Date: 2017-10-20 06:37:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/createmedia.co.za-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/createmedia.co.za-0001/privkey.pem

Certificate Name: createmedia.co.za
Domains: createmediacompany.com www.createmediacompany.com
Expiry Date: 2017-10-20 06:31:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/createmedia.co.za/fullchain.pem
Private Key Path: /etc/letsencrypt/live/createmedia.co.za/privkey.pem

My web server is (include version): apache

The operating system my web server runs on is (include version): linux debian 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

hi @tianreagon

The certonly option only obtains the certs but does not install them on your web server.

You will need to install them on your apache server and restarts apache for them to be in use.

Have a look at the mozilla TLS Guide. The paths to your keys/certs are in the message

https://wiki.mozilla.org/Security/Server_Side_TLS

e.g:

Certificate Path: /etc/letsencrypt/live/createmedia.co.za-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/createmedia.co.za-0001/privkey.pem

Alternatively you can try using the apache plugin which will configure apache for you

If you run certbot -apache you should get a dialog asking you for which sites you want to activate SSL for

Andrei

Hi there thanks so much. Do you mean certbot --apache because I have tried that and it gives the same result.

Hi @tianreagon,

I think you might have gotten a bit mixed up here with three different issues:

(1) Whenever you use certonly, it never tries to reconfigure your Apache for you. However, if you have a certificate that is already configured in Apache (because you previously used --apache or because you edited the Apache configuration files yourself), certonly can obtain a new certificate and substitute the new certificate for the previous version. If so, you won’t see the effects of this unless you run a command like apachectl graceful or another command that restarts Apache or reloads your configuration.

(2) If you have a certificate on a site and the site is serving HTTPS, it will still be possible to access the HTTP version of that site unless you explicitly go to the HTTPS version of the site in your browser. Both can and will co-exist. But this is not the case if the site is generating a 301 redirect from the HTTP to the HTTPS version, which is recommended; certbot --apache offers to configure Apache to do this for you, but you have to accept the offer.

(3) You need to make sure that you have certificates installed that cover all of the different names under which a site can be accessed. When you use --cert-name, you are asking Certbot to update a previously obtained certificate with a complete new set of names, not simply to add names.

So, you have at various times obtained certificates for both createmediacompany.com and createmedia.co.za, but unfortunately both are not covered in the same certificate, and your use of --cert-name probably also replaced the latter with the former, hiding your old createmedia.co.za certificate so that it’s no longer possible to refer to it via /etc/letsencrypt/live/createmedia.co.za/fullchain.pem as it was before. Nonetheless, your createmedia.co.za-0001 certificate does cover the createmedia.co.za domain.

What I see right now remotely is

https://createmedia.co.za/ — works!
https://www.createmedia.co.za/ — broken because you forgot to add www.createmedia.co.za as a name covered by any of your certificates
http://createmedia.co.za/ — redirects to https://createmedia.co.za/, which works (you probably used --apache when installing this one)
https://www.createmedia.co.za/ — redirects to https://www.createmedia.co.za/, which doesn’t work (maybe a collateral effect of the redirect created when you used --apache?)

https://www.createmediacompany.com/ — broken (serving your createmedia.co.za certificate instead; you used certonly for this one as you described above, so it didn’t do anything to configure it in Apache, though you could edit the configuration files to do so yourself)
https://createmediacompany.com/ — same

http://www.createmediacompany.com/ — works but doesn’t redirect to HTTPS
http://createmediacompany.com/ — same

I hope that’s a bit clearer rather than more confusing!

Hi there Thanks so much for your response. I understand what you are saying. What do you suggest that I do to rectify? Is it possible to uninstall the certificates and reinstall using all the different domain versions? Also, does each version need its own certificate or can I have one certificate with all the version? Sorry if I sound amateur just trying to understand. Thanks in advance.

Can I run this command:
./certbot-auto --apache -d createmediacompany.com -d www.createmediacompany.com -d createmedia.co.za -d www.createmedia.co.za

Yes, that seems like a good choice. It will offer to update one of your existing certificates by replacing it with the larger one. You can choose which one is updated with --cert-name, or you can accept Certbot’s choice if you don’t specify that.

You can have one certificate from Let’s Encrypt covering up to 100 domain names, which don’t necessarily have to be related to each other in any way as long as you control or operate all of them yourself.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.