Certs for multiple vhosts on Lighttpd

Domain: cpcnw.co.uk
Httpd: Lighttpd 1.4.53
OS: Linux 4.19.66-v7+ #1253 SMP Thu Aug 15 11:49:46 BST 2019 armv7l
Got Root: Yes
Host: Self
Cerbot Ver: 0.31.0

Hi, first post on LE :slight_smile:

I have a cert served by Lighty / LE for a long time now very happy! Now I want to add another vhost and another cert for that vhost [same IP] In Lighty.conf is looks like;

$HTTP["host"] =~ "(^|\.)cpcnw\.co.uk$" {
    server.document-root        = "/mnt/webdir/http"
    server.error-handler-404    = "/404.htm"
}
$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ "(^|\.)cpcnw\.co.uk$" {
        url.redirect = ( "^/(.*)" => "https://www.cpcnw.co.uk/$1" )
    }
}

and I have added another vhost in a similar way;

$HTTP["host"] =~ "(^|\.)newdomain\.co.uk$" {
server.document-root        = "/mnt/webdir/http2"
server.error-handler-404    = "/error404.php"
}
$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ "(^|\.)newdomain\.co.uk$" {
        url.redirect = ( "^/(.*)" => "https://www.newdomain.co.uk/$1" )
    }
}

I then ran this command to expand on the existing cert

certbot certonly --webroot -w /mnt/webdir/http -d www.cpcnw.co.uk -w /mnt/webdir/http2 -d www.newdomain.co.uk

This produced no errors and success message. Only thing is when I test newdomain with an online SSL test it says

Certificate name mismatch

Try these other domain names (extracted from the certificates): www.cpcnw.co.uk

We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect. It's possible that:

The web site does not use SSL, but shares an IP address with some other site that does.

I tried restarting lightly and rebooting the OS but it looks like the new combined certificate isn't working for the newdomain?

Any tips / tests etc - thanks!

Please show:

  • the output of the command: sudo certbot certificates
  • where in "lighty" the certificate(s) is/are configured.
2 Likes

Found the following certs:
Certificate Name: www.cpcnw.co.uk
Domains: www.cpcnw.co.uk
Expiry Date: 2022-07-29 13:49:04+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.cpcnw.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.cpcnw.co.uk/privkey.pem
Certificate Name: www.tarletoncomputers.co.uk
Domains: www.tarletoncomputers.co.uk
Expiry Date: 2022-07-29 12:02:51+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.tarletoncomputers.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.tarletoncomputers.co.uk/privkey.pem


Also, I have since updated the second vhost (ie tarleton) config in /etc/lighttpd/lighttpd.conf as follows;

 $HTTP["host"] =~ "(^|\.)tarletoncomputers\.co.uk$" {
server.document-root        = "/mnt/webdir/http2"
server.error-handler-404    = "/error404.php"
$SERVER["socket"] == ":443" {
	protocol = "https://"
	ssl.engine = "enable"
	ssl.pemfile = "/etc/letsencrypt/live/www.tarletoncomputers.co.uk/fullchain.pem"
	ssl.privkey = "/etc/letsencrypt/live/www.tarletoncomputers.co.uk/privkey.pem"
	ssl.ca-file = "/etc/letsencrypt/live/www.tarletoncomputers.co.uk/fullchain.pem"
	ssl.ec-curve = "secp384r1"
	setenv.add-environment = ( "HTTPS" => "on" )
	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
	ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
	ssl.honor-cipher-order = "disable"
	ssl.disable-client-renegotiation = "enable"
	}
}
$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ "(^|\.)tarletoncomputers\.co.uk$" {
        url.redirect = ( "^/(.*)" => "https://www.tarletoncomputers.co.uk/$1" )
    }
}

After restarting Lighty SSL Server Test (Powered by Qualys SSL Labs) analyse gives me an A+ however there is a section in red bold "Alternative names www.cpcnw.co.uk MISMATCH" and if I go to a browser the site is still showing as unsecured.

Read the SNI section here: Docs SSL - Lighttpd - lighty labs

2 Likes

Thanks 9peppe - that sorted it!

I have put the entire $SERVER["socket"] == ":443" section right at the top of my lighttpd.conf and included the individual additional domain ssl.pemfile = directive underneath the relevant vhost section.

Thanks a mill!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.