Problem
My FQDN is dediserve1.jhalbrecht.net. In chrome and edge the A record https://dediserve1.jhalbrecht.net gives a not secure message, while the CNAME does not https://www.dediserve1.jhalbrecht.net
Additional background
FWIW I use this key for postfix and dovecot without error.
The virtual domains that are not this FQDN host work as expected. For instance https://rodaw.info and https://www.rodaw.info
I’m bringing up a new vm, the one documented here, to replace an old centos 6 vm that didn’t have https etc… So while dediserve1 is technically in production these aren’t my main services. I’d like to get it right before I move over my main sites.
FWIW There are A and CNAME records on the current soon to be old centos 6 site in the jhalbrecht.net domain
[root@dediserve1 sites.d]# dig www.jhalbrecht.net
[...]
;; ANSWER SECTION:
www.jhalbrecht.net. 300 IN CNAME dediserve0.jhalbrecht.net.
dediserve0.jhalbrecht.net. 300 IN A 96.8.126.101
cert
https://crt.sh/?q=dediserve1.jhalbrecht.net
versions
certbot 0.20.0
CentOS Linux release 7.4.1708 (Core)
[root@dediserve1 ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Oct 19 2017 20:39:16
[root@dediserve1 ~]#
dig
[root@dediserve1 ~]# dig www.dediserve1.jhalbrecht.net
[...]
;; ANSWER SECTION:
www.dediserve1.jhalbrecht.net. 300 IN CNAME dediserve1.jhalbrecht.net.
dediserve1.jhalbrecht.net. 300 IN A 96.8.127.20
[root@dediserve1 ~]#
[root@dediserve1 ~]# dig -x 96.8.127.20
[...]
;; ANSWER SECTION:
20.127.8.96.in-addr.arpa. 1871 IN PTR dediserve1.jhalbrecht.net.
[...]
[root@dediserve1 ~]#
certbot
[root@dediserve1 ~]# certbot --version
certbot 0.20.0
[root@dediserve1 ~]# certbot --authenticator standalone --installer apache \
-d dediserve1.jhalbrecht.net -d www.dediserve1.jhalbrecht.net \
-d flashmobmashup.com -d www.flashmobmashup.com \
-d flashmobmashup.net -d www.flashmobmashup.net \
-d wiki.rodaw.com \
-d rodaw.info -d www.rodaw.info \
--pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"
[root@dediserve1 ~]#
dediserve1.jhalbrecht.net.conf
[root@dediserve1 sites.d]# cat dediserve1.jhalbrecht.net.conf
<VirtualHost *:80>
ServerName dediserve1.jhalbrecht.net
ServerAlias www.dediserve1.jhalbrecht.net
# ServerName www.dediserve1.jhalbrecht.net
# ServerAlias dediserve1.jhalbrecht.net
DocumentRoot /var/www/html
# DocumentRoot /var/www/dediserve1.jhalbrecht.net
CustomLog /var/log/httpd/dediserve1.jhalbrecht.net_access.log combined
ErrorLog /var/log/httpd/dediserve1.jhalbrecht.net_error.log
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =www.dediserve1.jhalbrecht.net [OR]
#RewriteCond %{SERVER_NAME} =dediserve1.jhalbrecht.net
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
[root@dediserve1 sites.d]#
dediserve1.jhalbrecht.net-le-ssl.conf
[root@dediserve1 sites.d]# cat dediserve1.jhalbrecht.net-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
# ServerName dediserve1.jhalbrecht.net
# ServerAlias www.dediserve1.jhalbrecht.net
ServerName www.dediserve1.jhalbrecht.net
ServerAlias dediserve1.jhalbrecht.net
DocumentRoot /var/www/html
# DocumentRoot /var/www/dediserve1.jhalbrecht.net
CustomLog /var/log/httpd/dediserve1.jhalbrecht.net_access.log combined
ErrorLog /var/log/httpd/dediserve1.jhalbrecht.net_error.log
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/dediserve1.jhalbrecht.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dediserve1.jhalbrecht.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/dediserve1.jhalbrecht.net/chain.pem
</VirtualHost>
</IfModule>
[root@dediserve1 sites.d]#