Certificate issue?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:

It produced this output:
eatdoori.dev and eatdoori.delivery
My web server is (include version):
Ubuntu 20.04
The operating system my web server runs on is (include version):
Apache/2.4.41 (Ubuntu)
My hosting provider, if applicable, is:
hetzner
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Hey there,

i do not know what is wrong with my configuration so i hope the swarm can help.

i have installed everything as always. however there is a problem with my eatdoori.delivery domain. from my computer - despite deleting all cookies etc. - i get redirected to eatdoori.dev all the time. If i go incognito i get an unsafe eatdoori.delivery.

if i check it from other devices i get no redirect but an unsafe flag.

Hi @doori and welcome to the LE community forum

Let's start to unravel this mess with the output of:
sudo apachectl -t -D DUMP_VHOSTS

@rg305 Thank you!

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 eatdoori.dev (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default-le-ssl.conf:44)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default-le-ssl.conf:44)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)

Well, based on that output, your server doesn't know what to do when anyone requests the FQDN "eatdoori.delivery".
It seems to be only configured (barely) for the other name.

The good news is that there are (at most) only two files to go through and edit/correct:
/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-enabled/000-default-le-ssl.conf

Hm. Then i do not get it... Let me show you the files:

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =yoffi.eatdoori.dev [OR]
RewriteCond %{SERVER_NAME} =kokumy.eatdoori.dev [OR]
RewriteCond %{SERVER_NAME} =eatdoori.delivery [OR]
RewriteCond %{SERVER_NAME} =eatdoori.dev
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

and the 000-ssl

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


ServerName eatdoori.dev
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias eatdoori.delivery
ServerAlias kokumy.eatdoori.delivery
ServerAlias yoffi.eatdoori.delivery
ServerAlias kokumy.eatdoori.dev
ServerAlias yoffi.eatdoori.dev
SSLCertificateFile /etc/letsencrypt/live/eatdoori.dev-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/eatdoori.dev-0001/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>

        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =kokumy.thx4.com [OR]
# RewriteCond %{SERVER_NAME} =eatdoori.thx4.com [OR]
# RewriteCond %{SERVER_NAME} =yoffi.thx4.com [OR]
# RewriteCond %{SERVER_NAME} =thx4.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


</VirtualHost>
</IfModule>

OK I see the alias there.
Maybe the apachectl isn't returning the complete result.

Let's have a look at:
certbot certificates

Also, this whole section can be removed (from the 000-ssl file):

First of all:

thank you so much for taking your time and replying so fast! appriciate it!

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: eatdoori.dev-0001
    Domains: eatdoori.dev eatdoori.delivery kokumy.eatdoori.dev yoffi.eatdoori.dev
    Expiry Date: 2022-01-24 14:49:19+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/eatdoori.dev-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/eatdoori.dev-0001/privkey.pem
  Certificate Name: eatdoori.dev
    Domains: eatdoori.dev eatdoori.delivery kokumy.eatdoori.dev www.eatdoori.delivery www.eatdoori.dev www.kokumy.eatdoori.dev www.yoffi.eatdoori.dev yoffi.eatdoori.dev
    Expiry Date: 2022-01-24 14:29:50+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/eatdoori.dev/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/eatdoori.dev/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please make the following change to the 000-ssl file.

Change from this:

to this:

SSLCertificateFile    /etc/letsencrypt/live/eatdoori.dev/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/eatdoori.dev/privkey.pem

Then restart Apache and make sure your sites are working via HTTPS.
If so, then problem solved.
If not, we can continue.
But, in any case, also then do:
certbot delete --cert-name eatdoori.dev-0001

Here is a clear visual showing why you should switch to the second cert:

Cert #1:     eatdoori.dev     eatdoori.delivery     kokumy.eatdoori.dev     yoffi.eatdoori.dev

Cert #2:     eatdoori.dev     eatdoori.delivery     kokumy.eatdoori.dev     yoffi.eatdoori.dev
         www.eatdoori.dev www.eatdoori.delivery www.kokumy.eatdoori.dev www.yoffi.eatdoori.dev 

Nice. That seems to work. Now i have to figure out why my chrome is redirecting me to eatdoori.dev.

Thank you!

Is it always better to include www. within the certificates?

If you want to service all sorts...
Some people never type the "www" (even when it is shown/mentioned in the URL).
Some people always type in the "www" (even when you explicitly exclude it from the URL).
So it's best to accept it both ways and then redirect them to whichever you prefer.

Try clearing the browser cache.
I checked all 16 possible choices and they are all working as expected.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.