Changing the name of a subdomain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:perot.org.il

I ran this command: certbot renew

It produced this output: Cert not yet due for renewal

My web server is (include version): apache 2.4.18 Server built: 2019-09-16T13:13:53

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: Amazon Web Services

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

Hi,
I have a Drupal multisite on AWS server.
I have install certbot and requested SSL certificate for all the domains at once
The setup contains a virtual host arrangement under “bluetlv.com”.
the particular domain (out of this group) was new.perot.org.il and for this domain, I got certify and still am.
the base domain: “perot.org.il” was hosted elsewhere.
Now, at last, the new.perot.org.il needs to become the actual site so I change the DNS to point to this server and change the details in the “virtual host” file in the hope that new certificate will be generated’ to my disappointment it did not.
the virtual host file was and still is named “perot.org.il.conf”
The inside was:

<VirtualHost *:80>
ServerName new.perot.org.il
#ServerAlias www.new.perot.org.il
ServerAdmin shimon@dekel.me
DocumentRoot /var/www/html/drupal
ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =new.perot.org.il
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet


I have changed all new.perot.org.il to perot.org.il and ran “certbot renew”
Obviously this did not work.
My question is: what do I need to do in order to create a certificate for “perot.org.il”
Thanks in advanced
Shimon Dekel

You need to request a new cert (not a renewal); as this domain is new to this system, it had no previous cert to renew for this name.

1 Like

Hi,
Thanks for your help, but I not there yet.
As I mansion before the Virtual host files where named perot.org.il.conf but the site certify was new.perot.org.il.
I edited the file to reflect the name perot.org.il and I deleted the perot.org.il-le-ssl.conf to reflect a new site.
I ran “sudo a2ensite perot.org.il.conf” and restarted the apache2
I then tried generating a new certificate doing"“sudo certbot --apache -d perot.org.il -d www.perot.org.il”
and this is what I got:

root@ip-172-31-17-193:/etc/apache2# sudo certbot --apache -d perot.org.il -d www.perot.org.il
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/perot.org.il.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/perot.org.il-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/perot.org.il-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/perot.org.il-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of www.perot.org.il.
Which virtual host would you like to choose?


1: perot.org.il.conf | perot.org.il | | Enabled
2: default-ssl.conf | | HTTPS | Enabled
3: gidan.com-le-ssl.conf | invoice.gidan.com | HTTPS | Enabled
4: winflow.net.conf | Multiple Names | | Enabled
5: cafealma.co.il.conf | Multiple Names | | Enabled
6: cafealma.co.il-le-ssl.conf | Multiple Names | HTTPS | Enabled
7: gidan.com.conf | invoice.gidan.com | | Enabled
8: bluetlv.com.conf | Multiple Names | | Enabled
9: bluetlv.com-le-ssl.conf | Multiple Names | HTTPS | Enabled
10: hobbygap.com.conf | Multiple Names | | Enabled
11: winflow.net-le-ssl.conf | Multiple Names | HTTPS | Enabled
12: hobbygap.com-le-ssl.conf | Multiple Names | HTTPS | Enabled
13: perot.org.il-le-ssl.conf | perot.org.il | HTTPS | Enabled


Select the appropriate number [1-13] then [enter] (press ‘c’ to cancel): 1
The selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration.
VirtualHost not able to be selected.

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/perot.org.il/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/perot.org.il/privkey.pem
    Your cert will expire on 2020-08-10. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”
  • Some rewrite rules copied from
    /etc/apache2/sites-enabled/perot.org.il.conf were disabled in the
    vhost for your HTTPS site located at
    /etc/apache2/sites-available/perot.org.il-le-ssl.conf because they
    have the potential to create redirection loops.
    root@ip-172-31-17-193:/etc/apache2#
    ==========================================
    I am lost here what should I do?
    Thanks in advance for any help.
    Shimon Dekel

Start with:
sudo apachectl -S

[that will show which names are being used and in which files - you need to correct the conflicting name overlap before you continue]

Thanks for your help.
I ran the “sudo apachectl -S”
I got this: note that perot.org.il is showing under port 80 and not under port 443

root@ip-172-31-17-193:/etc/apache2# sudo apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server bluetlv.com (/etc/apache2/sites-enabled/bluetlv.com-le-ssl.conf:2)
port 443 namevhost bluetlv.com (/etc/apache2/sites-enabled/bluetlv.com-le-ssl.conf:2)
alias www.bluetlv.com
port 443 namevhost cafealma.co.il (/etc/apache2/sites-enabled/cafealma.co.il-le-ssl.conf:2)
alias www.cafealma.co.il
port 443 namevhost ip-172-31-17-193.eu-west-1.compute.internal (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost invoice.gidan.com (/etc/apache2/sites-enabled/gidan.com-le-ssl.conf:2)
port 443 namevhost hobbygap.com (/etc/apache2/sites-enabled/hobbygap.com-le-ssl.conf:2)
alias www.hobbygap.com
port 443 namevhost winflow.net (/etc/apache2/sites-enabled/winflow.net-le-ssl.conf:2)
alias demo.winflow.net
*:80 is a NameVirtualHost
default server bluetlv.com (/etc/apache2/sites-enabled/bluetlv.com.conf:1)
port 80 namevhost bluetlv.com (/etc/apache2/sites-enabled/bluetlv.com.conf:1)
alias www.bluetlv.com
port 80 namevhost cafealma.co.il (/etc/apache2/sites-enabled/cafealma.co.il.conf:1)
alias www.cafealma.co.il
port 80 namevhost invoice.gidan.com (/etc/apache2/sites-enabled/gidan.com.conf:1)
port 80 namevhost hobbygap.com (/etc/apache2/sites-enabled/hobbygap.com.conf:1)
alias www.hobbygap.com
port 80 namevhost perot.org.il (/etc/apache2/sites-enabled/perot.org.il.conf:1)
port 80 namevhost winflow.net (/etc/apache2/sites-enabled/winflow.net.conf:1)
alias demo.winflow.net
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

===============================

There must be something in one of these two file that is giving certbot parsing issues.
[certbot doesn’t “understand”]

Please show the files:

OR

You may have “deleted” a file incorrectly [“perot.org.il-le-ssl.conf”]
Please show output of:
ls -l /etc/apache2/sites-enabled/

root@ip-172-31-17-193:/etc/apache2# ls -l /etc/apache2/sites-enabled/
total 4
-rw-r–r-- 1 root root 1332 Mar 19 2016 000-default.conf~
lrwxrwxrwx 1 root root 35 Feb 8 04:50 bluetlv.com.conf -> …/sites-available/bluetlv.com.conf
lrwxrwxrwx 1 root root 52 Feb 8 14:11 bluetlv.com-le-ssl.conf -> /etc/apache2/sites-available/bluetlv.com-le-ssl.conf
lrwxrwxrwx 1 root root 38 Feb 8 04:52 cafealma.co.il.conf -> …/sites-available/cafealma.co.il.conf
lrwxrwxrwx 1 root root 55 Feb 8 14:11 cafealma.co.il-le-ssl.conf -> /etc/apache2/sites-available/cafealma.co.il-le-ssl.conf
lrwxrwxrwx 1 root root 35 Feb 8 08:30 default-ssl.conf -> …/sites-available/default-ssl.conf
lrwxrwxrwx 1 root root 33 Mar 2 03:50 gidan.com.conf -> …/sites-available/gidan.com.conf
lrwxrwxrwx 1 root root 50 Mar 2 04:27 gidan.com-le-ssl.conf -> /etc/apache2/sites-available/gidan.com-le-ssl.conf
lrwxrwxrwx 1 root root 36 Feb 8 08:31 hobbygap.com.conf -> …/sites-available/hobbygap.com.conf
lrwxrwxrwx 1 root root 53 Feb 8 14:11 hobbygap.com-le-ssl.conf -> /etc/apache2/sites-available/hobbygap.com-le-ssl.conf
lrwxrwxrwx 1 root root 36 May 13 02:08 perot.org.il.conf -> …/sites-available/perot.org.il.conf
lrwxrwxrwx 1 root root 35 Feb 8 14:23 winflow.net.conf -> …/sites-available/winflow.net.conf
lrwxrwxrwx 1 root root 52 Feb 8 14:23 winflow.net-le-ssl.conf -> /etc/apache2/sites-available/winflow.net-le-ssl.conf
root@ip-172-31-17-193:/etc/apache2# ^C
root@ip-172-31-17-193:/etc/apache2#

There is only one perot.org.il file there…

lrwxrwxrwx 1 root root 36 May 13 02:08 perot.org.il.conf -> …/sites-available/perot.org.il.conf

So the problem may be in the renewal folder.
Please show:
ls -l /etc/letsencrypt/renewal/


root@ip-172-31-17-193:/etc/apache2# ls -l /etc/letsencrypt/renewal/
total 20
-rw-r–r-- 1 root root 539 May 3 05:08 demo.winflow.net.conf
-rw-r–r-- 1 root root 519 May 3 05:08 hobbygap.com.conf
-rw-r–r-- 1 root root 544 May 3 05:08 invoice.gidan.com.conf
-rw-r–r-- 1 root root 539 May 3 05:08 new.perot.org.il.conf
-rw-r–r-- 1 root root 519 May 13 00:17 perot.org.il.conf
root@ip-172-31-17-193:/etc/apache2#

We need to see these files.
I suspect one is good and one is not.
cat /etc/letsencrypt/renewal/new.perot.org.il.conf
cat /etc/letsencrypt/renewal/perot.org.il.conf

root@ip-172-31-17-193:/etc/apache2# cat /etc/letsencrypt/renewal/new.perot.org.il.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/new.perot.org.il
cert = /etc/letsencrypt/live/new.perot.org.il/cert.pem
privkey = /etc/letsencrypt/live/new.perot.org.il/privkey.pem
chain = /etc/letsencrypt/live/new.perot.org.il/chain.pem
fullchain = /etc/letsencrypt/live/new.perot.org.il/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
server = https://acme-v02.api.letsencrypt.org/directory
account = f0e6e552aec923e4bf0449dcc5a9f36d
installer = apache
root@ip-172-31-17-193:/etc/apache2#
root@ip-172-31-17-193:/etc/apache2#
root@ip-172-31-17-193:/etc/apache2#
root@ip-172-31-17-193:/etc/apache2#
root@ip-172-31-17-193:/etc/apache2# cat /etc/letsencrypt/renewal/perot.org.il.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/perot.org.il
cert = /etc/letsencrypt/live/perot.org.il/cert.pem
privkey = /etc/letsencrypt/live/perot.org.il/privkey.pem
chain = /etc/letsencrypt/live/perot.org.il/chain.pem
fullchain = /etc/letsencrypt/live/perot.org.il/fullchain.pem

Options used in the renewal process

[renewalparams]
account = f0e6e552aec923e4bf0449dcc5a9f36d
server = https://acme-v02.api.letsencrypt.org/directory
installer = apache
authenticator = apache
root@ip-172-31-17-193:/etc/apache2#

We skipped this step:

Please also show output of:
certbot certificates

root@ip-172-31-17-193:/etc/apache2# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: demo.winflow.net
Domains: demo.winflow.net
Expiry Date: 2020-08-01 04:08:03+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/demo.winflow.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/demo.winflow.net/privkey.pem
Certificate Name: hobbygap.com
Domains: bluetlv.com cafealma.co.il hobbygap.com new.perot.org.il www.bluetlv.com www.cafealma.co.il www.hobbygap.com
Expiry Date: 2020-08-01 04:08:17+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/hobbygap.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/hobbygap.com/privkey.pem
Certificate Name: invoice.gidan.com
Domains: invoice.gidan.com
Expiry Date: 2020-08-01 04:08:28+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/invoice.gidan.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/invoice.gidan.com/privkey.pem
Certificate Name: new.perot.org.il
Domains: new.perot.org.il
Expiry Date: 2020-08-01 04:08:32+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/new.perot.org.il/fullchain.pem
Private Key Path: /etc/letsencrypt/live/new.perot.org.il/privkey.pem
Certificate Name: perot.org.il
Domains: perot.org.il www.perot.org.il
Expiry Date: 2020-08-10 23:17:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/perot.org.il/fullchain.pem
Private Key Path: /etc/letsencrypt/live/perot.org.il/privkey.pem


root@ip-172-31-17-193:/etc/apache2#

The certs look good (no name overlap):

Certificate Name: new.perot.org.il
Domains: new.perot.org.il
Expiry Date: 2020-08-01 04:08:32+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/new.perot.org.il/fullchain.pem
Private Key Path: /etc/letsencrypt/live/new.perot.org.il/privkey.pem

Certificate Name: perot.org.il
Domains: perot.org.il www.perot.org.il
Expiry Date: 2020-08-10 23:17:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/perot.org.il/fullchain.pem
Private Key Path: /etc/letsencrypt/live/perot.org.il/privkey.pem

The renewal conf files look good too.
The problem must be in the vhost config files.

Please show this file:

and I don’t know where the file is for this info (but we need to see it too):

cat /etc/apache2/sites-enabled/perot.org.il.conf

find / -name perot.org.il-le-ssl.conf

root@ip-172-31-17-193:/etc/apache2# ll /etc/apache2/sites-enabled/perot.org.il.conf
lrwxrwxrwx 1 root root 36 May 13 02:08 /etc/apache2/sites-enabled/perot.org.il.conf -> …/sites-available/perot.org.il.conf
root@ip-172-31-17-193:/etc/apache2#

root@ip-172-31-17-193:/etc/apache2# cat /etc/apache2/sites-enabled/perot.org.il.conf
<VirtualHost *:80>
ServerName perot.org.il
#ServerAlias www.perot.org.il
ServerAdmin shimon@dekel.me
DocumentRoot /var/www/html/drupal
ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =perot.org.il
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

=================================
The file “perot.org.il-le-ssl.conf” is not there (The computer is still searching but I know it’s not there)

The WWW is commented out.
Which explains why:

And any choices would fail.

oops! I corrected this but I can only retry this at night as the DNS now pointing to the old site
I will be able to retry in about 11 hours
What about the missing file?

I don’t understand where it is and how it is being loaded.
But it should not be causing any problem.