Certificate works only on domain.gr not on www.domain.gr

My domain is: www.efpsychis.gr

My web server is (include version): nginx and docker

The operating system my web server runs on is (include version): linux

My hosting provider, if applicable, is: digital ocean droplet

I can login to a root shell on my machine (yes or no, or I don't know): yes

i installed a certificate using certbot on efpsychis.gr , when visiting www.efpsychis.gr cert not working.

Hi @Inpanic4, and welcome to the LE community forum :slight_smile:

You need to get a certificate that has both names on it.

What was the certbot command used to get the certificate?

4 Likes

[unrelated to your problem]
Also, the site permits some weak ptotocols and ciphers:
SSL Server Test: efpsychis.gr (Powered by Qualys SSL Labs)

5 Likes

Thanks for the quick reply!!
docker compose -f docker-compose.prod.yml run --rm certbot certonly -d efpsychis.gr
after some searching i also generated a cert for www.efpsychis.gr using the same command as above

the docker compose has the volumes at nginx container and certbot image

ssl checker says : Hostname: close Doesn't match Common Name or/and SANs

Try:

docker compose -f docker-compose.prod.yml run \
--rm certbot certonly -d efpsychis.gr -d www.efpsychis.gr

[if you haven't already done so]

4 Likes

The certonly subcommand will only get you a certificate, you need to install it yourself. If you installed it incorrectly into your webserver, you can get these kind of inconsistent results.

Speaking about inconsistent: looking at your cert history at crt.sh | efpsychis.gr it looks like you've renewed most of the older certs except for the www subdomain. And the dates of renewal are also not consistent it seems: the latest cert for `awstats was issued a day after you'd expect. Do you have renewal automated?

Also, I'm interested what kind of certificates are currently available to Certbot, as it's relatively easy to suddenly have two certs for the domain with overlapping certs. Usually you could just run sudo certbot certificates, but with Docker I have no idea how that would work.

4 Likes

Found the following certs:
Certificate Name: efpsychis.gr
Serial Number: 33e1412e7f86573d1524062f74779a2338c
Key Type: ECDSA
Domains: efpsychis.gr
Expiry Date: 2023-05-13 18:12:16+00:00 (VALID: 74 days)
Certificate Path: /etc/letsencrypt/live/efpsychis.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/efpsychis.gr/privkey.pem
Certificate Name: www.efpsychis.gr
Serial Number: 33baed59aafbf72b26cca6903cfdc533f82
Key Type: ECDSA
Domains: www.efpsychis.gr
Expiry Date: 2023-05-28 17:40:48+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.efpsychis.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.efpsychis.gr/privkey.pem

1 Like

Unless you are providing different content for each name, they could easily be served from the same vhost and using one certificate [with both names on it].

Each LE certificate can hold up to 100 names.

3 Likes

I agree with Rudy, especially for the www subdomain I would integrate both hostnames into a single certificate.

4 Likes

Renewing an existing certificate for efpsychis.gr and www.efpsychis.gr

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/efpsychis.gr/fullchain.pem
Key is saved at: /etc/letsencrypt/live/efpsychis.gr/privkey.pem
This certificate expires on 2023-05-28.
These files will be updated when the certificate renews.

Show again:
certbot certificates

3 Likes

Found the following certs:
Certificate Name: efpsychis.gr
Serial Number: 4dac247ca584bb40229e40c22dabc0e0d0b
Key Type: ECDSA
Domains: efpsychis.gr www.efpsychis.gr
Expiry Date: 2023-05-28 18:09:29+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/efpsychis.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/efpsychis.gr/privkey.pem
Certificate Name: www.efpsychis.gr
Serial Number: 33baed59aafbf72b26cca6903cfdc533f82
Key Type: ECDSA
Domains: www.efpsychis.gr
Expiry Date: 2023-05-28 17:40:48+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.efpsychis.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.efpsychis.gr/privkey.pem

1 Like

OK, you can remove the second cert:
certbot delete --cert-name www.efpsychis.gr

Then restart/reload the web server for it to use the latest cert.

5 Likes

You rock!! Thanks

4 Likes

Now the site can be reached (securely) via both names:
SSL Server Test: efpsychis.gr (Powered by Qualys SSL Labs)
SSL Server Test: www.efpsychis.gr (Powered by Qualys SSL Labs)

That said, it is still showing some very weak protocols and ciphers :frowning:

Cheers from Miami :beers:

Also, if you registered your email address when obtaining the certs, you should expect an expiration notice about that deleted second cert in about 70 days. You can safely ignore those. :slight_smile:

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.