Certificate extension for 3rd level domains

Help
1

My domain is: thomas.miglinci.name

I ran this command: certbot certonly --standalone -d www.thomas.miglinci.name -d thomas.miglinci.name
Checking afterwards using certbot certificates showed:

Found the following certs:
...
Certificate Name: www.thomas.miglinci.name
Domains: www.thomas.miglinci.name thomas.miglinci.name
Expiry Date: 2025-02-26 12:30:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.thomas.miglinci.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.thomas.miglinci.name/privkey.pem

Nevertheless, if opening a website with https://thomas.miglinci.name in Chrome brings up an invalide certificate warning.

I do have a forwarding from thomas.miglinci.name to www.thomas.miglinci.name via apache on my server, therefore I did not recognize this and to be honest, I did not care about this at all.
But with Bluesky you can use your domain as your handle, but thomas.miglinci.name was rejected as not being covered by the certificate?!

Thanks for any support
Thomas

1 Like
2

That is unusual to use --standalone when you have a running Apache server. The --standalone option requires exclusive use of port 80 so requires Apache to be stopped before-hand. Usually a --webroot or even certonly --apache is used instead.

That said, you have gotten certs with different combinations of your names. Some with just your www subdomain and some with that and your apex name. See pic below from https://crt.sh

Your Apache server is using one from Oct19 with only your www subdomain in it. Using that cert and your apex domain will fail with invalid cert. Which is what you see.

Please show output of these two commands

sudo certbot certificates
sudo apache2ctl -t -D DUMP_VHOSTS

image
image1980×342 70.7 KB

2 Likes
3

Okay, I see.
Seems like I bricked it somehow. I did had some parallel entries in the live-directory with -0001 ending which were not used by my server. So I removed them - or lets say, I invalidated them by changing the extension to .bup; they are still there but are no longer recognized by certbot....
So is there a chance to revoke certificates just by their crt.sh ID ? Because then I would like to get rid of all but the first one.
I revoked this changes and here a the outputs:

$ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: cloud.viehai.at
Domains: cloud.viehai.at
Expiry Date: 2025-01-17 07:24:42+00:00 (VALID: 49 days)
Certificate Path: /etc/letsencrypt/live/cloud.viehai.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cloud.viehai.at/privkey.pem
Certificate Name: mail.viehai.at
Domains: mail.viehai.at
Expiry Date: 2025-01-17 07:24:53+00:00 (VALID: 49 days)
Certificate Path: /etc/letsencrypt/live/mail.viehai.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.viehai.at/privkey.pem
Certificate Name: thomas.miglinci.name-0001
Domains: www.thomas.miglinci.name thomas.miglinci.name
Expiry Date: 2025-02-26 12:13:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/thomas.miglinci.name-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thomas.miglinci.name-0001/privkey.pem
Certificate Name: thomas.miglinci.name
Domains: thomas.miglinci.name mail.viehai.at www.thomas.miglinci.name
Expiry Date: 2025-01-17 07:25:30+00:00 (VALID: 49 days)
Certificate Path: /etc/letsencrypt/live/thomas.miglinci.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thomas.miglinci.name/privkey.pem
Certificate Name: viehai.at
Domains: viehai.at www.viehai.at
Expiry Date: 2025-01-17 07:25:41+00:00 (VALID: 49 days)
Certificate Path: /etc/letsencrypt/live/viehai.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/viehai.at/privkey.pem
Certificate Name: www.margarete.rozum.name
Domains: www.margarete.rozum.name
Expiry Date: 2025-01-23 08:44:07+00:00 (VALID: 55 days)
Certificate Path: /etc/letsencrypt/live/www.margarete.rozum.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.margarete.rozum.name/privkey.pem
Certificate Name: www.thomas.miglinci.name
Domains: www.thomas.miglinci.name thomas.miglinci.name
Expiry Date: 2025-02-26 12:30:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.thomas.miglinci.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.thomas.miglinci.name/privkey.pem

and

$ apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 is a NameVirtualHost
default server srv4hai.viehai.at (/etc/apache2/sites-enabled/000-default.conf:3)
port 80 namevhost srv4hai.viehai.at (/etc/apache2/sites-enabled/000-default.conf:3)
port 80 namevhost www.viehai.at (/etc/apache2/sites-enabled/010-viehai.conf:1)
alias viehai.at
port 80 namevhost thomas.miglinci.name (/etc/apache2/sites-enabled/022-thomas.conf:1)
alias www.thomas.miglinci.name
port 80 namevhost margarete.rozum.name (/etc/apache2/sites-enabled/margarete.conf:1)
alias www.margarete.rozum.name
port 80 namevhost cloud.viehai.at (/etc/apache2/sites-enabled/owncloud.conf:1)
port 80 namevhost mail.viehai.at (/etc/apache2/sites-enabled/roundcube.conf:1)
*:443 is a NameVirtualHost
default server margarete.rozum.name (/etc/apache2/sites-enabled/margarete-le-ssl.conf:2)
port 443 namevhost margarete.rozum.name (/etc/apache2/sites-enabled/margarete-le-ssl.conf:2)
alias www.margarete.rozum.name
port 443 namevhost cloud.viehai.at (/etc/apache2/sites-enabled/owncloud-le-ssl.conf:2)
port 443 namevhost mail.viehai.at (/etc/apache2/sites-enabled/roundcube-le-ssl.conf:2)
port 443 namevhost thomas.miglinci.name (/etc/apache2/sites-enabled/thomas-le-ssl.conf:2)
alias www.thomas.miglinci.name
port 443 namevhost www.viehai.at (/etc/apache2/sites-enabled/viehai-le-ssl.conf:2)
alias viehai.at

thanks for your support
Thomas

1 Like
4

You have two certs covering the exact same names:

And you have another mixed name cert that also shares those same two names:

EDIT:
And the name mixed in has its' own cert:

3 Likes
5

To remove a Certbot cert you no longer need use:

sudo certbot delete --cert-name (cert-name)

Where (cert-name) is seen in the certificates list:

Certificate Name: thomas.miglinci.name-0001
Domains: www.thomas.miglinci.name thomas.miglinci.name
Expiry Date: 2025-02-26 12:13:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/thomas.miglinci.name-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thomas.miglinci.name-0001/privkey.pem

Be sure you no longer have any references to these files in Apache or other TLS services (mail servers and such).

Unless your system or private key has been compromised there is no need to revoke certs.

3 Likes
6

Thanks for the hints - at least I could get rid of the unnecessary entries.

best regards
Thomas

2 Likes
7

Seems like there is another problem.
I run

certbot renew --dry-run

and got the following error message:

Attempting to renew cert (www.thomas.miglinci.name) from /etc/letsencrypt/renewal/www.thomas.miglinci.name.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/www.thomas.miglinci.name/fullchain.pem (failure)

but all other hosted domains were okay:

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
The following certs were successfully renewed:
/etc/letsencrypt/live/cloud.viehai.at/fullchain.pem (success)
/etc/letsencrypt/live/mail.viehai.at/fullchain.pem (success)
/etc/letsencrypt/live/viehai.at/fullchain.pem (success)
/etc/letsencrypt/live/www.margarete.rozum.name/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/www.thomas.miglinci.name/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

and accessing my domain www.thomas.miglinci.name is still possible - so IPv4 is ok.

Any hints for me?
Thanks
Thomas

8

This seems like the same problem as earlier. The --standalone option requires exclusive use of port 80. But, you have an Apache server using port 80. Which is all fine and good. But, you should use --apache or --webroot method with Apache - not --standalone.

Let's start at the beginning.

3 Likes
9

Blockquote

sudo certbot certificates
showsFound the following certs:

Certificate Name: cloud.viehai.at
Domains: cloud.viehai.at
Expiry Date: 2025-03-18 08:02:25+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/cloud.viehai.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cloud.viehai.at/privkey.pem
Certificate Name: mail.viehai.at
Domains: mail.viehai.at
Expiry Date: 2025-03-18 08:02:36+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/mail.viehai.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.viehai.at/privkey.pem
Certificate Name: viehai.at
Domains: viehai.at www.viehai.at
Expiry Date: 2025-03-18 08:02:47+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/viehai.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/viehai.at/privkey.pem
Certificate Name: www.margarete.rozum.name
Domains: www.margarete.rozum.name margarete.rozum.name
Expiry Date: 2025-02-26 17:36:31+00:00 (VALID: 59 days)
Certificate Path: /etc/letsencrypt/live/www.margarete.rozum.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.margarete.rozum.name/privkey.pem
Certificate Name: www.thomas.miglinci.name
Domains: www.thomas.miglinci.name thomas.miglinci.name
Expiry Date: 2025-02-26 12:30:10+00:00 (VALID: 59 days)
Certificate Path: /etc/letsencrypt/live/www.thomas.miglinci.name/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.thomas.miglinci.name/privkey.pem

and
apache2ctl -t -D DUMP_VHOSTS:

VirtualHost configuration:
*:80 is a NameVirtualHost
default server srv4hai.viehai.at (/etc/apache2/sites-enabled/000-default.conf:3)
port 80 namevhost srv4hai.viehai.at (/etc/apache2/sites-enabled/000-default.conf:3)
port 80 namevhost www.viehai.at (/etc/apache2/sites-enabled/010-viehai.conf:1)
alias viehai.at
port 80 namevhost thomas.miglinci.name (/etc/apache2/sites-enabled/022-thomas.conf:1)
alias www.thomas.miglinci.name
port 80 namevhost margarete.rozum.name (/etc/apache2/sites-enabled/margarete.conf:1)
alias www.margarete.rozum.name
port 80 namevhost cloud.viehai.at (/etc/apache2/sites-enabled/owncloud.conf:1)
port 80 namevhost mail.viehai.at (/etc/apache2/sites-enabled/roundcube.conf:1)
*:443 is a NameVirtualHost
default server margarete.rozum.name (/etc/apache2/sites-enabled/margarete-le-ssl.conf:2)
port 443 namevhost margarete.rozum.name (/etc/apache2/sites-enabled/margarete-le-ssl.conf:2)
alias www.margarete.rozum.name
port 443 namevhost cloud.viehai.at (/etc/apache2/sites-enabled/owncloud-le-ssl.conf:2)
port 443 namevhost mail.viehai.at (/etc/apache2/sites-enabled/roundcube-le-ssl.conf:2)
port 443 namevhost thomas.miglinci.name (/etc/apache2/sites-enabled/thomas-le-ssl.conf:2)
alias www.thomas.miglinci.name
port 443 namevhost www.viehai.at (/etc/apache2/sites-enabled/viehai-le-ssl.conf:2)
alias viehai.at

default 443-server should be a different one (preferable srv4haI.viehai.at) but that is another story...

10

And now let's look at this file

/etc/letsencrypt/renewal/www.thomas.miglinci.name.conf

And this one

etc/apache2/sites-enabled/022-thomas.conf

And output of this

sudo certbot --version
1 Like
11

After looking into /etc/letsencrypt/renewal/www.thomas.miglinci.name.conf and comparing to another one I found the difference in the # Options used in the renewal processsection. And after fixing that...

old content:

[renewalparams]
account = xxxxxxxxxxxxxxxx
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

new content:

[renewalparams]
account = xxxxxxxxxxxxxxxx
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

everything works fine.

Thanks for the support
Thomas

2 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.