Changing the name of a subdomain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:perot.org.il

I ran this command: certbot renew

It produced this output: Cert not yet due for renewal

My web server is (include version): apache 2.4.18 Server built: 2019-09-16T13:13:53

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: Amazon Web Services

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

Hi,
I have a Drupal multisite on AWS server.
I have install certbot and requested SSL certificate for all the domains at once
The setup contains a virtual host arrangement under ā€œbluetlv.comā€.
the particular domain (out of this group) was new.perot.org.il and for this domain, I got certify and still am.
the base domain: ā€œperot.org.ilā€ was hosted elsewhere.
Now, at last, the new.perot.org.il needs to become the actual site so I change the DNS to point to this server and change the details in the ā€œvirtual hostā€ file in the hope that new certificate will be generated’ to my disappointment it did not.
the virtual host file was and still is named ā€œperot.org.il.confā€
The inside was:

<VirtualHost *:80>
ServerName new.perot.org.il
#ServerAlias www.new.perot.org.il
ServerAdmin shimon@dekel.me
DocumentRoot /var/www/html/drupal
ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =new.perot.org.il
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet


I have changed all new.perot.org.il to perot.org.il and ran ā€œcertbot renewā€
Obviously this did not work.
My question is: what do I need to do in order to create a certificate for ā€œperot.org.ilā€
Thanks in advanced
Shimon Dekel

You need to request a new cert (not a renewal); as this domain is new to this system, it had no previous cert to renew for this name.

Hi,
Thanks for your help, but I not there yet.
As I mansion before the Virtual host files where named perot.org.il.conf but the site certify was new.perot.org.il.
I edited the file to reflect the name perot.org.il and I deleted the perot.org.il-le-ssl.conf to reflect a new site.
I ran ā€œsudo a2ensite perot.org.il.confā€ and restarted the apache2
I then tried generating a new certificate doing"ā€œsudo certbot --apache -d perot.org.il -d www.perot.org.ilā€
and this is what I got:

root@ip-172-31-17-193:/etc/apache2# sudo certbot --apache -d perot.org.il -d www.perot.org.il
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/perot.org.il.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ā€˜c’ to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/perot.org.il-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/perot.org.il-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/perot.org.il-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of www.perot.org.il.
Which virtual host would you like to choose?


1: perot.org.il.conf | perot.org.il | | Enabled
2: default-ssl.conf | | HTTPS | Enabled
3: gidan.com-le-ssl.conf | invoice.gidan.com | HTTPS | Enabled
4: winflow.net.conf | Multiple Names | | Enabled
5: cafealma.co.il.conf | Multiple Names | | Enabled
6: cafealma.co.il-le-ssl.conf | Multiple Names | HTTPS | Enabled
7: gidan.com.conf | invoice.gidan.com | | Enabled
8: bluetlv.com.conf | Multiple Names | | Enabled
9: bluetlv.com-le-ssl.conf | Multiple Names | HTTPS | Enabled
10: hobbygap.com.conf | Multiple Names | | Enabled
11: winflow.net-le-ssl.conf | Multiple Names | HTTPS | Enabled
12: hobbygap.com-le-ssl.conf | Multiple Names | HTTPS | Enabled
13: perot.org.il-le-ssl.conf | perot.org.il | HTTPS | Enabled


Select the appropriate number [1-13] then [enter] (press ā€˜c’ to cancel): 1
The selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration.
VirtualHost not able to be selected.

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/perot.org.il/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/perot.org.il/privkey.pem
    Your cert will expire on 2020-08-10. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the ā€œcertonlyā€ option. To non-interactively renew all of
    your certificates, run ā€œcertbot renewā€
  • Some rewrite rules copied from
    /etc/apache2/sites-enabled/perot.org.il.conf were disabled in the
    vhost for your HTTPS site located at
    /etc/apache2/sites-available/perot.org.il-le-ssl.conf because they
    have the potential to create redirection loops.
    root@ip-172-31-17-193:/etc/apache2#
    ==========================================
    I am lost here what should I do?
    Thanks in advance for any help.
    Shimon Dekel

Start with:
sudo apachectl -S

[that will show which names are being used and in which files - you need to correct the conflicting name overlap before you continue]

Thanks for your help.
I ran the ā€œsudo apachectl -Sā€
I got this: note that perot.org.il is showing under port 80 and not under port 443

root@ip-172-31-17-193:/etc/apache2# sudo apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server bluetlv.com (/etc/apache2/sites-enabled/bluetlv.com-le-ssl.conf:2)
port 443 namevhost bluetlv.com (/etc/apache2/sites-enabled/bluetlv.com-le-ssl.conf:2)
alias www.bluetlv.com
port 443 namevhost cafealma.co.il (/etc/apache2/sites-enabled/cafealma.co.il-le-ssl.conf:2)
alias www.cafealma.co.il
port 443 namevhost ip-172-31-17-193.eu-west-1.compute.internal (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost invoice.gidan.com (/etc/apache2/sites-enabled/gidan.com-le-ssl.conf:2)
port 443 namevhost hobbygap.com (/etc/apache2/sites-enabled/hobbygap.com-le-ssl.conf:2)
alias www.hobbygap.com
port 443 namevhost winflow.net (/etc/apache2/sites-enabled/winflow.net-le-ssl.conf:2)
alias demo.winflow.net
*:80 is a NameVirtualHost
default server bluetlv.com (/etc/apache2/sites-enabled/bluetlv.com.conf:1)
port 80 namevhost bluetlv.com (/etc/apache2/sites-enabled/bluetlv.com.conf:1)
alias www.bluetlv.com
port 80 namevhost cafealma.co.il (/etc/apache2/sites-enabled/cafealma.co.il.conf:1)
alias www.cafealma.co.il
port 80 namevhost invoice.gidan.com (/etc/apache2/sites-enabled/gidan.com.conf:1)
port 80 namevhost hobbygap.com (/etc/apache2/sites-enabled/hobbygap.com.conf:1)
alias www.hobbygap.com
port 80 namevhost perot.org.il (/etc/apache2/sites-enabled/perot.org.il.conf:1)
port 80 namevhost winflow.net (/etc/apache2/sites-enabled/winflow.net.conf:1)
alias demo.winflow.net
ServerRoot: ā€œ/etc/apache2ā€
Main DocumentRoot: ā€œ/var/www/htmlā€
Main ErrorLog: ā€œ/var/log/apache2/error.logā€
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: ā€œ/var/run/apache2/apache2.pidā€
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=ā€œwww-dataā€ id=33
Group: name=ā€œwww-dataā€ id=33

===============================

There must be something in one of these two file that is giving certbot parsing issues.
[certbot doesn't "understand"]

Please show the files:

OR

You may have "deleted" a file incorrectly ["perot.org.il-le-ssl.conf"]
Please show output of:
ls -l /etc/apache2/sites-enabled/

root@ip-172-31-17-193:/etc/apache2# ls -l /etc/apache2/sites-enabled/
total 4
-rw-r–r-- 1 root root 1332 Mar 19 2016 000-default.conf~
lrwxrwxrwx 1 root root 35 Feb 8 04:50 bluetlv.com.conf -> …/sites-available/bluetlv.com.conf
lrwxrwxrwx 1 root root 52 Feb 8 14:11 bluetlv.com-le-ssl.conf -> /etc/apache2/sites-available/bluetlv.com-le-ssl.conf
lrwxrwxrwx 1 root root 38 Feb 8 04:52 cafealma.co.il.conf -> …/sites-available/cafealma.co.il.conf
lrwxrwxrwx 1 root root 55 Feb 8 14:11 cafealma.co.il-le-ssl.conf -> /etc/apache2/sites-available/cafealma.co.il-le-ssl.conf
lrwxrwxrwx 1 root root 35 Feb 8 08:30 default-ssl.conf -> …/sites-available/default-ssl.conf
lrwxrwxrwx 1 root root 33 Mar 2 03:50 gidan.com.conf -> …/sites-available/gidan.com.conf
lrwxrwxrwx 1 root root 50 Mar 2 04:27 gidan.com-le-ssl.conf -> /etc/apache2/sites-available/gidan.com-le-ssl.conf
lrwxrwxrwx 1 root root 36 Feb 8 08:31 hobbygap.com.conf -> …/sites-available/hobbygap.com.conf
lrwxrwxrwx 1 root root 53 Feb 8 14:11 hobbygap.com-le-ssl.conf -> /etc/apache2/sites-available/hobbygap.com-le-ssl.conf
lrwxrwxrwx 1 root root 36 May 13 02:08 perot.org.il.conf -> …/sites-available/perot.org.il.conf
lrwxrwxrwx 1 root root 35 Feb 8 14:23 winflow.net.conf -> …/sites-available/winflow.net.conf
lrwxrwxrwx 1 root root 52 Feb 8 14:23 winflow.net-le-ssl.conf -> /etc/apache2/sites-available/winflow.net-le-ssl.conf
root@ip-172-31-17-193:/etc/apache2# ^C
root@ip-172-31-17-193:/etc/apache2#

There is only one perot.org.il file there…

lrwxrwxrwx 1 root root 36 May 13 02:08 perot.org.il.conf -> …/sites-available/perot.org.il.conf

So the problem may be in the renewal folder.
Please show:
ls -l /etc/letsencrypt/renewal/


root@ip-172-31-17-193:/etc/apache2# ls -l /etc/letsencrypt/renewal/
total 20
-rw-r--r-- 1 root root 539 May 3 05:08 demo.winflow.net.conf
-rw-r--r-- 1 root root 519 May 3 05:08 hobbygap.com.conf
-rw-r--r-- 1 root root 544 May 3 05:08 invoice.gidan.com.conf
-rw-r--r-- 1 root root 539 May 3 05:08 new.perot.org.il.conf
-rw-r--r-- 1 root root 519 May 13 00:17 perot.org.il.conf
root@ip-172-31-17-193:/etc/apache2#

We need to see these files.
I suspect one is good and one is not.
cat /etc/letsencrypt/renewal/new.perot.org.il.conf
cat /etc/letsencrypt/renewal/perot.org.il.conf

root@ip-172-31-17-193:/etc/apache2# cat /etc/letsencrypt/renewal/new.perot.org.il.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/new.perot.org.il
cert = /etc/letsencrypt/live/new.perot.org.il/cert.pem
privkey = /etc/letsencrypt/live/new.perot.org.il/privkey.pem
chain = /etc/letsencrypt/live/new.perot.org.il/chain.pem
fullchain = /etc/letsencrypt/live/new.perot.org.il/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
server = https://acme-v02.api.letsencrypt.org/directory
account = f0e6e552aec923e4bf0449dcc5a9f36d
installer = apache
root@ip-172-31-17-193:/etc/apache2#
root@ip-172-31-17-193:/etc/apache2#
root@ip-172-31-17-193:/etc/apache2#
root@ip-172-31-17-193:/etc/apache2#
root@ip-172-31-17-193:/etc/apache2# cat /etc/letsencrypt/renewal/perot.org.il.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/perot.org.il
cert = /etc/letsencrypt/live/perot.org.il/cert.pem
privkey = /etc/letsencrypt/live/perot.org.il/privkey.pem
chain = /etc/letsencrypt/live/perot.org.il/chain.pem
fullchain = /etc/letsencrypt/live/perot.org.il/fullchain.pem

Options used in the renewal process

[renewalparams]
account = f0e6e552aec923e4bf0449dcc5a9f36d
server = https://acme-v02.api.letsencrypt.org/directory
installer = apache
authenticator = apache
root@ip-172-31-17-193:/etc/apache2#

We skipped this step:

Please also show output of:
certbot certificates

root@ip-172-31-17-193:/etc/apache2# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: demo.winflow.net
Domains: demo.winflow.net
Expiry Date: 2020-08-01 04:08:03+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/demo.winflow.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/demo.winflow.net/privkey.pem
Certificate Name: hobbygap.com
Domains: bluetlv.com cafealma.co.il hobbygap.com new.perot.org.il www.bluetlv.com www.cafealma.co.il www.hobbygap.com
Expiry Date: 2020-08-01 04:08:17+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/hobbygap.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/hobbygap.com/privkey.pem
Certificate Name: invoice.gidan.com
Domains: invoice.gidan.com
Expiry Date: 2020-08-01 04:08:28+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/invoice.gidan.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/invoice.gidan.com/privkey.pem
Certificate Name: new.perot.org.il
Domains: new.perot.org.il
Expiry Date: 2020-08-01 04:08:32+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/new.perot.org.il/fullchain.pem
Private Key Path: /etc/letsencrypt/live/new.perot.org.il/privkey.pem
Certificate Name: perot.org.il
Domains: perot.org.il www.perot.org.il
Expiry Date: 2020-08-10 23:17:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/perot.org.il/fullchain.pem
Private Key Path: /etc/letsencrypt/live/perot.org.il/privkey.pem


root@ip-172-31-17-193:/etc/apache2#

The certs look good (no name overlap):

Certificate Name: new.perot.org.il
Domains: new.perot.org.il
Expiry Date: 2020-08-01 04:08:32+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/new.perot.org.il/fullchain.pem
Private Key Path: /etc/letsencrypt/live/new.perot.org.il/privkey.pem

Certificate Name: perot.org.il
Domains: perot.org.il www.perot.org.il
Expiry Date: 2020-08-10 23:17:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/perot.org.il/fullchain.pem
Private Key Path: /etc/letsencrypt/live/perot.org.il/privkey.pem

The renewal conf files look good too.
The problem must be in the vhost config files.

Please show this file:

and I don't know where the file is for this info (but we need to see it too):

cat /etc/apache2/sites-enabled/perot.org.il.conf

find / -name perot.org.il-le-ssl.conf

root@ip-172-31-17-193:/etc/apache2# ll /etc/apache2/sites-enabled/perot.org.il.conf
lrwxrwxrwx 1 root root 36 May 13 02:08 /etc/apache2/sites-enabled/perot.org.il.conf -> ../sites-available/perot.org.il.conf
root@ip-172-31-17-193:/etc/apache2#

root@ip-172-31-17-193:/etc/apache2# cat /etc/apache2/sites-enabled/perot.org.il.conf
<VirtualHost *:80>
ServerName perot.org.il
#ServerAlias www.perot.org.il
ServerAdmin shimon@dekel.me
DocumentRoot /var/www/html/drupal
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =perot.org.il
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

=================================
The file "perot.org.il-le-ssl.conf" is not there (The computer is still searching but I know it's not there)

The WWW is commented out.
Which explains why:

And any choices would fail.

oops! I corrected this but I can only retry this at night as the DNS now pointing to the old site
I will be able to retry in about 11 hours
What about the missing file?

I don't understand where it is and how it is being loaded.
But it should not be causing any problem.