Certificate Generated For Main Server only, Not Virtural Hosts


#1

Previously when the certificate was generated on the main server all associated virtual hosts were secure with the certificate. However, the recent generation only secures the main server and not the associated virtual hosts.

The virtual hosts are located in separate files.

The command is : ./dehydrated/dehydrated -c -t dns-01 -d server.com -d www.server.com -k ./dehydrated/hooks/manual/manual_hook.rb

The OS: Fedora 19

Thanks in advance for your assistance!


#2

I don’t have any experience with dehydrated, but I’m pretty sure if you only supply it with two -d options, you’ll get a certificate for just those two hostnames. Or am I missing something?


#3

Hmm maybe dehydrated isn’t what should be used.

What should be used or what do you have experience with that would address this issue. It has been sometime since I have had to deal with this so I a vague about what to do.


#4

Hi,

What are you trying to do?
Is the “server.com” and “www.server.com” represent your server hostname?

Have you tried to issue a certificate for the virtual host domains?

Also, do you mind to share us the file manual_hook.rb?

Thank you


#5

Hi stevenzhu,

server.com and www.server.com are the ServerName and ServerAlias of the main server.

I am not sure what is meant by “issue a certificate for the virtual host domains”.
In the past issuing one certificate for the main server would take care of all virtual domains hosted by the main server. Issuing one certificate is what was done a few times before this time.

I have confused myself because I have used two methods. I don’t know which method gave me the certificate that covered all the virtual host when applied to the main server:

This one: as shown above
./dehydrated/dehydrated -c -t dns-01 -d server.com -d www.server.com -k ./dehydrated/hooks/manual/manual_hook.rb

and This one:
./certbot-auto certonly --standalone --agree-tos --email myemail@gmail.com -d server.com -d www.server.com

Here is the manual_hook.rb

#!/usr/bin/env ruby

require ‘resolv’

def setup_dns(domain, txt_challenge)
resolved = false;
singleLoop = false;
dns = Resolv::DNS.new;
acme_domain = “_acme-challenge.”+domain;
puts “Checking for pre-existing TXT record for the domain: “#{acme_domain}”.”

until resolved
dns.each_resource(acme_domain, Resolv::DNS::Resource::IN::TXT) { |resp|
if resp.strings[0] == txt_challenge
puts “Found #{resp.strings[0]}. match.”
resolved = true;
else
puts “Found #{resp.strings[0]}. no match.”
end
}

if !resolved
 if !singleLoop
   puts "Create TXT record for the domain: \"#{acme_domain}\". TXT record:"
   puts "\"#{txt_challenge}\""
   puts "Press enter when DNS has been updated..."
   $stdin.readline()
   singleLoop = true
 end

 puts "Didn't find a match for #{txt_challenge}"; 
 puts "Waiting to retry..."; 
 sleep 30; 
end

end
end

def delete_dns(domain, txt_challenge)
puts “Challenge complete. Leave TXT record in place to allow easier future refreshes.”
end

if FILE == $0
hook_stage = ARGV[0]
domain = ARGV[1]
txt_challenge = ARGV[3]

#puts hook_stage
#puts domain
#puts txt_challenge

if hook_stage == “deploy_challenge”
setup_dns(domain, txt_challenge)
elsif hook_stage == “clean_challenge”
delete_dns(domain, txt_challenge)
end

end


#6

Hi,

All the methods you mentioned above doesn’t (shouldn’t) gave you a certificate that covers all domains.

By the way, are all domains in your virtual host subdomains of the server main? Subdomains of domain.com ?

Thank you


#7

Hi stevenzhu,

Those are the only two methods I used. I must have unknowingly applied a method that applied the certificate to all domain. I do remember being told applying the certificate to the main server would apply the certificate to all the virtual hosts.

What is he correct way to apply the certificate to all the virtual hosts?

The virtural hosts are in separate files

Do you have any suggestions?


#8

Hi @schoen

Is it possible to look at my problem. I understood that a certificate on the server would secure the virtual domain served from the server. That is how I remember setting things up a long while ago.

Should a new certificate be set up for every virtual host on the server?

Thanks


#9

Hi @Anthon,

Every name that you want to use with HTTPS needs to be mentioned in some certificate, or covered by a wildcard. Do you think you could be more specific about the domains that and subdomains that you’re looking to use and having trouble with at the moment?


#10

Thanks @schoen nice hearing from you! I hope it is going well with you!

Usually, obtaining one certificate for the main server handled all the virtual hosts associated with the main server. That does not appear to be the way it works now.

I resolved the issue:

1. Modified the port 80 virtual host file: vh1-80.conf

<VirtualHost *:80>
ServerName “www.vh1.org
ServerAlias “vh1.org
DocumentRoot “/var/www/html/vh1stuff”
#UseCanonicalName off
Redirect / https://vh1.org/ <------- NOTE REDIRECT
<Directory “/var/www/html/vh1stuff”>

    </Directory>    

2. Create a 443 virtual host file: vh1-443.conf

#-------------------------#
#SSL for
#-------------------------#
<VirtualHost *:443>
DocumentRoot “/var/www/html/vh1stuff”
ServerName “www.vh1.org
ServerAlias “vh1.org
<Directory “/var/www/html/vh1stuff”>

    </Directory>                                 

3. Ran the following

Turn off httpd:
# systemctl stop httpd

# ./certbot-auto certonly --standalone --agree-tos --email theemail@gmail.com -d vh1.org -d www.vh1.org

(output)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.vh1.org
http-01 challenge for vh1.org
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/vh1.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/vh1.org/privkey.pem
    Your cert will expire on 2019-02-23. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

4. updated the 443 virtual host file (vh1-443.conf) with the SSL

#-------------------------#
#SSL for
#-------------------------#
<VirtualHost *:443>
DocumentRoot “/var/www/html/vh1stuff”
ServerName “www.vh1.org
ServerAlias “vh1.org
<Directory “/var/www/html/vh1stuff”>

</Directory>                                 

(Up dated with SSL)

    SSLEngine On  
    SSLProtocol All -SSLv2 -SSLv3                
    SSLProtocol ALL -SSLv2 -SSLv3                
    SSLHonorCipherOrder on
                    
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS           
    
    SSLCertificateFile      /etc/letsencrypt/live/vh1.org/fullchain.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/vh1.org/privkey.pem
  1. Other things
    The virtual hosts are in separate files
    turn on: systemctl start httpd
    There must be a certificate for each virtural host.

I hope this helps!


#11

Hi @Anthon,

Thanks!

When you use certonly --standalone, you have to specify exactly what names will be covered by the resulting certificate (with -d options), you have to edit the configuration to make use of the new certificate (with SSLCertificateFile and SSLCertificateKeyFile directives), and you have to start and stop Apache (with systemctl commands). You did all of these things correctly, so there’s nothing wrong with this procedure.

But I don’t remember if you’ve used --apache (without certonly) instead of certonly --standalone before… it might improve your experience because it will try to identify the names covered by the various virtual hosts for you, and it will try to install the certificates for you, and you won’t need to stop and restart the web server. — Assuming that --apache can work in your configuration.


#12

Quite interesting!
As of now certificates have been successfully installed to cover server-1.com and vh-1.com. There are three more virtual hosts to apply certificates to. It is a puzzle that the certificate applied to server-1.com, which hosts the virtual hosts, does not apply to all the virtual hosts! That was the case. But I digress.

Two methods could be used to apply a certificate to the remaining three virtual hosts

Method 1

systemctl stop httpd

./certbot-auto certonly --standalone --agree-tos --email theemail@gmail.com -d vh2.com -d www.vh2.com -d vh3.org -d www.vh3.org -d vh4.edu -d www.vh4.edu

configure/edit DNS configuration files for each virtual host with SSLCertificateFile and SSLCertificateKeyFile directives

systemctl start httpd

Method 2

2 # ./certbot-auto --apache --agree-tos --email theemail@gmail.com -d vh2.com -d www.vh2.com -d vh3.org -d www.vh3.org -d vh4.edu -d www.vh4.edu

The certificates will be installed!

Does that mean certbot will edit each DNS configuration file with SSLCertificateFile and SSLCertificateKeyFile directives?


#13

Each virtual host file, yes, I think so.


#14

Well, that is interesting. Thanks for your time, sir.