Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.collegiansfc.org and collegiansfc.org

I ran this command: When I open a browser to both of the domains I get an exception on the certificates. When I do a check on SSL Labs I am told that the Certificate Names Mismatch for the domain collegiansfc.org, but I get no errors at all for the domain www.collegiansfc.org.

It produced this output:

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
LSB Version: core-11.1.0ubuntu4-noarch:security-11.1.0ubuntu4-noarch
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy

My hosting provider, if applicable, is:
Dedicated server with Rochen.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No, I am doing everything on the commandline.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

This is very confusing. At first when I first set the site up I had an issue installing the certificate, but after resolving the DNS issues I managed to install the certificates for both domains successfully, but I do not see the results in any browsers.

Any feedback would be much appreciated.
Thanks
Lawrence

Hello @lslamp, welcome to the Let's Encrypt community.

Here is a list of issue certificates crt.sh | collegiansfc.org, please look at the list.

For the domain name www.collegiansfc.org the correct certificate is being served https://decoder.link/sslchecker/www.collegiansfc.org/443

For the domain name collegiansfc.org an incorrect certificate is being served https://decoder.link/sslchecker/collegiansfc.org/443

It is possible (and often done) a single certificate that handles both domain names.

Check Getting Started - Let's Encrypt
and https://certbot.eff.org/ and Certbot Instructions | Certbot.
And here Certbot 2.8.0 Release

Please show the output of the following command:

sudo certbot certificates

@Osiris
Thanks for the feedback.

Below is the output.

Found the following certs:
Certificate Name: collegiansfc.org
Serial Number: 3d6fb7956f30820626e1159439932d3cd7c
Key Type: RSA
Domains: collegiansfc.org
Expiry Date: 2024-03-07 16:47:04+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/collegiansfc.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/collegiansfc.org/privkey.pem
Certificate Name: www.collegiansfc.org
Serial Number: 3d9252e1fae17657849eb67a7cf7551fe29
Key Type: RSA
Domains: www.collegiansfc.org
Expiry Date: 2024-03-07 16:49:20+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.collegiansfc.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.collegiansfc.org/privkey.pem

@Bruce5051
thanks for the reply, but if that is the case, why can I not see the certificate if I load the www.collegiansfc.org into a browser.

Lawrence

Hi @lslamp, you have been issued certificates for collegiansfc.org and www.collegiansfc.org; I suspect you are serving the same certificate (the one for www.collegiansfc.org) from you webserver for both domain names.

image895×169 2.88 KB

Each domain name needs to be on the certificate being served for it. One can have a certificate that contains both collegiansfc.org and www.collegiansfc.org and then the same certificate can be served for both (I like this method best).

Works fine.

$ curl -Ii https://www.collegiansfc.org
HTTP/1.1 410 Gone
Server: nginx
Date: Sun, 10 Dec 2023 01:01:35 GMT
Content-Type: text/html
Content-Length: 136
Connection: keep-alive

Not ignoring SSL errors; fails.

$ curl -Ii https://collegiansfc.org
curl: (60) SSL: no alternative certificate subject name matches target host name 'collegiansfc.org'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Ignoring SSL errors, as expect works

$ curl -k -Ii https://collegiansfc.org
HTTP/1.1 410 Gone
Server: nginx
Date: Sun, 10 Dec 2023 01:01:47 GMT
Content-Type: text/html
Content-Length: 136
Connection: keep-alive

And the certificate being served working fine for www.collegiansfc.org

$ openssl s_client -showcerts -servername www.collegiansfc.org -connect www.collegiansfc.org:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.collegiansfc.org
verify return:1
---
Certificate chain
 0 s:CN = www.collegiansfc.org
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec  8 16:49:21 2023 GMT; NotAfter: Mar  7 16:49:20 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgISA9klLh+uF2V4Setnp891Uf4pMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzEyMDgxNjQ5MjFaFw0yNDAzMDcxNjQ5MjBaMB8xHTAbBgNVBAMT
FHd3dy5jb2xsZWdpYW5zZmMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAt81J5UTPjeKgEY9+Tn95P3do5dHwTkao9j5XhhOHGWjkKwGmOn+OTpCk
HcUEZwUCpRTvx+y2iFaj0VSqgWPa9FwIzY9an0mG9p6EWo845hMW8iFPhml+PScM
OFIHVQ0/fE6bASl1JIM3iXrNgTyD3HH6UiiQIZw3+JIlk1tUR37XOmYaxz+sC6zh
6nmS1xYr8OXI7x2z8x3RVRiW6qBXLC+j+KZEdIHgGGyNbSLtrZ4sq6/yJP873Cs2
r2XhacxBKYK8Uv3fCF83jJ8/Qal6leMngWqRxZqlALqlFDVO+Afn+AeVutj9+26y
1TrLQOBgleiyceEzVe4aWlI6ULIPUwIDAQABo4ICFjCCAhIwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBQt77t4B7vfnxAdBtwV+R7WcWIAezAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAfBgNVHREEGDAWghR3d3cuY29sbGVnaWFuc2ZjLm9yZzATBgNVHSAE
DDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ACnQOhu2dKpx
HNMDW2VXwU+Kp4tP6DiUSeykU/lEvSRoAAABjEqMXasAAAQDAEcwRQIhAPGOvyX+
KCbLjANOPza3GPdPYa6jN6zR4Z29j56vsjaoAiACX/AuqvWYX8MEiAcBmJBSWfTK
q4qitEA8dOtoS4v80wB2ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h+tQX
AAABjEqMXtgAAAQDAEcwRQIhAIgvKBynWEOZHc8f+P1Lkpu+lygSDNzN1uAbkvc8
OZHWAiAcB8WiSjSFYETSshvoAhQvFdjzmFVbE9ZPwhuiVBzWADANBgkqhkiG9w0B
AQsFAAOCAQEAL4MFTm+VNFZ9TXL97KyuXyDx15rpWHFwX2xcMrvgEfjaBX4homTp
LgDbWKOEXzliAJER+LuBNqXVet6+UoZ5zQwf5n8UQMXUfa6OelE79l9uYh4nRR/D
im9vU1KzdpnQg9bV2CmypYckR3OpS6M0vEsLIoy9+DgXTDcdW9CxXB8AK1PtT/Q3
4n021V7vE8JZL5mVdkd/ItnSbZ0cSTttmgPbbd7YM+FB7yQVeAm4IIVDiXbOS6Ul
iCrrzWr1JUebG4UCgi8rg9JV22Qy1NHRkG/gBtmvgHOY36YblJdrkFf9a/xAxTPr
8Z7dK23xUHMRNhXNlm8fFsixLF/ZwrUaQg==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = www.collegiansfc.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4529 bytes and written 402 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

And now the serving the certificate and FAILing collegiansfc.org; note CN = www.collegiansfc.org

$ openssl s_client -showcerts -servername collegiansfc.org -connect collegiansfc.org:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.collegiansfc.org
verify return:1
---
Certificate chain
 0 s:CN = www.collegiansfc.org
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec  8 16:49:21 2023 GMT; NotAfter: Mar  7 16:49:20 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgISA9klLh+uF2V4Setnp891Uf4pMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzEyMDgxNjQ5MjFaFw0yNDAzMDcxNjQ5MjBaMB8xHTAbBgNVBAMT
FHd3dy5jb2xsZWdpYW5zZmMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAt81J5UTPjeKgEY9+Tn95P3do5dHwTkao9j5XhhOHGWjkKwGmOn+OTpCk
HcUEZwUCpRTvx+y2iFaj0VSqgWPa9FwIzY9an0mG9p6EWo845hMW8iFPhml+PScM
OFIHVQ0/fE6bASl1JIM3iXrNgTyD3HH6UiiQIZw3+JIlk1tUR37XOmYaxz+sC6zh
6nmS1xYr8OXI7x2z8x3RVRiW6qBXLC+j+KZEdIHgGGyNbSLtrZ4sq6/yJP873Cs2
r2XhacxBKYK8Uv3fCF83jJ8/Qal6leMngWqRxZqlALqlFDVO+Afn+AeVutj9+26y
1TrLQOBgleiyceEzVe4aWlI6ULIPUwIDAQABo4ICFjCCAhIwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBQt77t4B7vfnxAdBtwV+R7WcWIAezAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAfBgNVHREEGDAWghR3d3cuY29sbGVnaWFuc2ZjLm9yZzATBgNVHSAE
DDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ACnQOhu2dKpx
HNMDW2VXwU+Kp4tP6DiUSeykU/lEvSRoAAABjEqMXasAAAQDAEcwRQIhAPGOvyX+
KCbLjANOPza3GPdPYa6jN6zR4Z29j56vsjaoAiACX/AuqvWYX8MEiAcBmJBSWfTK
q4qitEA8dOtoS4v80wB2ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h+tQX
AAABjEqMXtgAAAQDAEcwRQIhAIgvKBynWEOZHc8f+P1Lkpu+lygSDNzN1uAbkvc8
OZHWAiAcB8WiSjSFYETSshvoAhQvFdjzmFVbE9ZPwhuiVBzWADANBgkqhkiG9w0B
AQsFAAOCAQEAL4MFTm+VNFZ9TXL97KyuXyDx15rpWHFwX2xcMrvgEfjaBX4homTp
LgDbWKOEXzliAJER+LuBNqXVet6+UoZ5zQwf5n8UQMXUfa6OelE79l9uYh4nRR/D
im9vU1KzdpnQg9bV2CmypYckR3OpS6M0vEsLIoy9+DgXTDcdW9CxXB8AK1PtT/Q3
4n021V7vE8JZL5mVdkd/ItnSbZ0cSTttmgPbbd7YM+FB7yQVeAm4IIVDiXbOS6Ul
iCrrzWr1JUebG4UCgi8rg9JV22Qy1NHRkG/gBtmvgHOY36YblJdrkFf9a/xAxTPr
8Z7dK23xUHMRNhXNlm8fFsixLF/ZwrUaQg==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = www.collegiansfc.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4529 bytes and written 398 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

Hi @lslamp,

Using the online tool https://www.redirect-checker.org/ with an input of https://www.collegiansfc.org
We see being redirected https://www.collegiansfc.org to https://collegiansfc.org which cause the error since https://collegiansfc.org is presently serving a certificate that does not have collegiansfc.org in it and therefor failing.

image758×942 53 KB

The redirection is kind of amusing, as this is a typical test for Palo Alto Firewall failing test.

No Redirection happening here.

$ curl -Ii https://www.collegiansfc.org
HTTP/1.1 410 Gone
Server: nginx
Date: Sun, 10 Dec 2023 01:19:00 GMT
Content-Type: text/html
Content-Length: 136
Connection: keep-alive

Being Redirected!

$ curl -Ii https://www.collegiansfc.org -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sun, 10 Dec 2023 01:19:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Redirect-By: WordPress
Location: https://collegiansfc.org/

If your web service is using one single vhost for both names, then it will need one single cert with both names on it.

As it stands, the names are on two separate certs.
The web server would need two separate vhosts for each one to serve a name covered by its' cert.

It's probably a good idea to combine both hostnames in a single certificate. We haven't seen your nginx configuration yet, but I'm guessing you have both names configured in a single server block with one of the two certs, therefore missing the other hostname in the certificate. Combining the two hostnames into a single one and using that cert makes things a lot more easy.

If you expand one of the two certificates to a cert with both hostnames and only use that expanded certificate, don't forget to remove the other certificate which is left over with just a single hostname.

@Osiris
I am very new to understanding how and what for SSL, web server and domain names. So please forgive my strange questions.

I was also a little apprehensive about sharing my nginx config file for the domain. I have decided that it will do more good than bad, so here is my collegiansfc.conf file.

server {

    root             /var/www/html/collegiansfc.org/public_html;

    if ($host = www.collegiansfc.org) {
            return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = collegiansfc.org) {
            return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($http_user_agent)) { return 403; }
    if ($http_user_agent ~* (MauiBot|MJ12bot|SEMrushBot|AhrefsBot)) { return 403; }

    listen 80;
    listen [::]:80;

    server_name collegiansfc.org www.collegiansfc.org;

    return 301 https://$host$request_uri;

    access_log /var/www/html/collegiansfc.org/logs/access.log;
    error_log /var/www/html/collegiansfc.org/logs/error.log;

    if ($http_user_agent ~* (SiteLockSpider|360Spider|80legs.com|Abonti|AcoonBot|Acunetix|adbeat_bot|AddThis.com|adidxbot|ADmantX|AhrefsBot|AngloINFO|Antelope|Applebot|BaiduSpider|BeetleBot|billigerbot|binlar|bitlybot|BlackWidow|BLP_bbot|BoardReader|Bolt\ 0|BOT\ for\ JCE|Bot\ mailto\:craftbot@yahoo\.com|casper|CazoodleBot|CCBot|checkprivacy|ChinaClaw|chromeframe|Clerkbot|Cliqzbot|clshttp|CommonCrawler|comodo|CPython|crawler4j|Crawlera|CRAZYWEBCRAWLER|Curious|Curl|Custo|CWS_proxy|Default\ Browser\ 0|diavol|DigExt|Digincore|DIIbot|discobot|DISCo|DoCoMo|DotBot|Download\ Demon|DTS.Agent|EasouSpider|eCatch|ecxi|EirGrabber|Elmer|EmailCollector|EmailSiphon|EmailWolf|Exabot|ExaleadCloudView|ExpertSearchSpider|ExpertSearch|Express\ WebPictures|ExtractorPro|extract|EyeNetIE|Ezooms|F2S|FastSeek|feedfinder|FeedlyBot|FHscan|finbot|Flamingo_SearchEngine|FlappyBot|FlashGet|flicky|Flipboard|g00g1e|Genieo|genieo|GetRight|GetWeb\!|GigablastOpenSource|GozaikBot|Go\!Zilla|Go\-Ahead\-Got\-It|GrabNet|grab|Grafula|GrapeshotCrawler|GTB5|GT\:\:WWW|Guzzle|harvest|heritrix|HMView|HomePageBot|HTTP\:\:Lite|HTTrack|HubSpot|ia_archiver|icarus6|IDBot|id\-search|IlseBot|Image\ Stripper|Image\ Sucker|Indigonet|Indy\ Library|integromedb|InterGET|InternetSeer\.com|Internet\ Ninja|IRLbot|ISC\ Systems\ iRc\ Search\ 2\.1|jakarta|Java|JetCar|JobdiggerSpider|JOC\ Web\ Spider|Jooblebot|kanagawa|KINGSpider|kmccrew|larbin|LeechFTP|libwww|Lingewoud|LinkChecker|linkdexbot|LinksCrawler|LinksManager\.com_bot|linkwalker|LinqiaRSSBot|LivelapBot|ltx71|LubbersBot|lwp\-trivial|Mail.RU_Bot|masscan|Mass\ Downloader|maverick|Maxthon$|Mediatoolkitbot|MegaIndex|MegaIndex|megaindex|MFC_Tear_Sample|Microsoft\ URL\ Control|microsoft\.url|MIDown\ tool|miner|Missigua\ Locator|Mister\ PiX|mj12bot|Mozilla.*Indy|Mozilla.*NEWT|MSFrontPage|msnbot|Navroad|NearSite|NetAnts|netEstate|NetSpider|NetZIP|Net\ Vampire|NextGenSearchBot|nutch|Octopus|Offline\ Explorer|Offline\ Navigator|OpenindexSpider|OpenWebSpider|OrangeBot|Owlin|PageGrabber|PagesInventory|panopta|panscient\.com|Papa\ Foto|pavuk|pcBrowser|PECL\:\:HTTP|PeoplePal|Photon|PHPCrawl|planetwork|PleaseCrawl|PNAMAIN.EXE|PodcastPartyBot|prijsbest|proximic|psbot|purebot|pycurl|QuerySeekerSpider|R6_CommentReader|R6_FeedFetcher|RealDownload|ReGet|Riddler|Rippers\ 0|rogerbot|RSSingBot|rv\:1.9.1|RyzeCrawler|SafeSearch|SBIder|Scrapy|Scrapy|Screaming|SeaMonkey$|search.goo.ne.jp|SearchmetricsBot|search_robot|SemrushBot|Semrush|SentiBot|SEOkicks|SeznamBot|ShowyouBot|SightupBot|SISTRIX|sitecheck\.internetseer\.com|siteexplorer.info|SiteSnagger|skygrid|Slackbot|Slurp|SmartDownload|Snoopy|Sogou|Sosospider|spaumbot|Steeler|sucker|SuperBot|Superfeedr|SuperHTTP|SurdotlyBot|Surfbot|tAkeOut|Teleport\ Pro|TinEye-bot|TinEye|Toata\ dragostea\ mea\ pentru\ diavola|Toplistbot|trendictionbot|TurnitinBot|turnit|Twitterbot|URI\:\:Fetch|urllib|Vagabondo|Vagabondo|vikspider|VoidEYE|VoilaBot|WBSearchBot|webalta|WebAuto|WebBandit|WebCollage|WebCopier|WebFetch|WebGo\ IS|WebLeacher|WebReaper|WebSauger|Website\ eXtractor|Website\ Quester|WebStripper|WebWhacker|WebZIP|Web\ Image\ Collector|Web\ Sucker|Wells\ Search\ II|WEP\ Search|WeSEE|Wget|Widow|WinInet|woobot|woopingbot|worldwebheritage.org|Wotbox|WPScan|WWWOFFLE|WWW\-Mechanize|Xaldon\ WebSpider|XoviBot|yacybot|Yahoo|YandexBot|Yandex|YisouSpider|zermelo|Zeus|zh-CN|ZmEu|ZumBot|ZyBorg|Twenga|TwengaBot) ) {
    return 410;

}

}

server {
if ($http_user_agent)) { return 403; }
if ($http_user_agent ~* (MauiBot|MJ12bot|SEMrushBot|AhrefsBot)) { return 403; }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot

    root             /var/www/html/collegiansfc.org/public_html;

    index index.php index.html index.htm index.nginx-debian.html;

    server_name collegiansfc.org www.collegiansfc.org;

    access_log /var/www/html/collegiansfc.org/logs/access.log compression;
    error_log /var/www/html/collegiansfc.org/logs/error.log;

    include /etc/nginx/snippets/blockips.conf;
    include /etc/nginx/snippets/whitelist.conf;

    if ($http_user_agent ~* (SiteLockSpider|360Spider|80legs.com|Abonti|AcoonBot|Acunetix|adbeat_bot|AddThis.com|adidxbot|ADmantX|AhrefsBot|AngloINFO|Antelope|Applebot|BaiduSpider|BeetleBot|billigerbot|binlar|bitlybot|BlackWidow|BLP_bbot|BoardReader|Bolt\ 0|BOT\ for\ JCE|Bot\ mailto\:craftbot@yahoo\.com|casper|CazoodleBot|CCBot|checkprivacy|ChinaClaw|chromeframe|Clerkbot|Cliqzbot|clshttp|CommonCrawler|comodo|CPython|crawler4j|Crawlera|CRAZYWEBCRAWLER|Curious|Curl|Custo|CWS_proxy|Default\ Browser\ 0|diavol|DigExt|Digincore|DIIbot|discobot|DISCo|DoCoMo|DotBot|Download\ Demon|DTS.Agent|EasouSpider|eCatch|ecxi|EirGrabber|Elmer|EmailCollector|EmailSiphon|EmailWolf|Exabot|ExaleadCloudView|ExpertSearchSpider|ExpertSearch|Express\ WebPictures|ExtractorPro|extract|EyeNetIE|Ezooms|F2S|FastSeek|feedfinder|FeedlyBot|FHscan|finbot|Flamingo_SearchEngine|FlappyBot|FlashGet|flicky|Flipboard|g00g1e|Genieo|genieo|GetRight|GetWeb\!|GigablastOpenSource|GozaikBot|Go\!Zilla|Go\-Ahead\-Got\-It|GrabNet|grab|Grafula|GrapeshotCrawler|GTB5|GT\:\:WWW|Guzzle|harvest|heritrix|HMView|HomePageBot|HTTP\:\:Lite|HTTrack|HubSpot|ia_archiver|icarus6|IDBot|id\-search|IlseBot|Image\ Stripper|Image\ Sucker|Indigonet|Indy\ Library|integromedb|InterGET|InternetSeer\.com|Internet\ Ninja|IRLbot|ISC\ Systems\ iRc\ Search\ 2\.1|jakarta|Java|JetCar|JobdiggerSpider|JOC\ Web\ Spider|Jooblebot|kanagawa|KINGSpider|kmccrew|larbin|LeechFTP|libwww|Lingewoud|LinkChecker|linkdexbot|LinksCrawler|LinksManager\.com_bot|linkwalker|LinqiaRSSBot|LivelapBot|ltx71|LubbersBot|lwp\-trivial|Mail.RU_Bot|masscan|Mass\ Downloader|maverick|Maxthon$|Mediatoolkitbot|MegaIndex|MegaIndex|megaindex|MFC_Tear_Sample|Microsoft\ URL\ Control|microsoft\.url|MIDown\ tool|miner|Missigua\ Locator|Mister\ PiX|mj12bot|Mozilla.*Indy|Mozilla.*NEWT|MSFrontPage|msnbot|Navroad|NearSite|NetAnts|netEstate|NetSpider|NetZIP|Net\ Vampire|NextGenSearchBot|nutch|Octopus|Offline\ Explorer|Offline\ Navigator|OpenindexSpider|OpenWebSpider|OrangeBot|Owlin|PageGrabber|PagesInventory|panopta|panscient\.com|Papa\ Foto|pavuk|pcBrowser|PECL\:\:HTTP|PeoplePal|Photon|PHPCrawl|planetwork|PleaseCrawl|PNAMAIN.EXE|PodcastPartyBot|prijsbest|proximic|psbot|purebot|pycurl|QuerySeekerSpider|R6_CommentReader|R6_FeedFetcher|RealDownload|ReGet|Riddler|Rippers\ 0|rogerbot|RSSingBot|rv\:1.9.1|RyzeCrawler|SafeSearch|SBIder|Scrapy|Scrapy|Screaming|SeaMonkey$|search.goo.ne.jp|SearchmetricsBot|search_robot|SemrushBot|Semrush|SentiBot|SEOkicks|SeznamBot|ShowyouBot|SightupBot|SISTRIX|sitecheck\.internetseer\.com|siteexplorer.info|SiteSnagger|skygrid|Slackbot|Slurp|SmartDownload|Snoopy|Sogou|Sosospider|spaumbot|Steeler|sucker|SuperBot|Superfeedr|SuperHTTP|SurdotlyBot|Surfbot|tAkeOut|Teleport\ Pro|TinEye-bot|TinEye|Toata\ dragostea\ mea\ pentru\ diavola|Toplistbot|trendictionbot|TurnitinBot|turnit|Twitterbot|URI\:\:Fetch|urllib|Vagabondo|Vagabondo|vikspider|VoidEYE|VoilaBot|WBSearchBot|webalta|WebAuto|WebBandit|WebCollage|WebCopier|WebFetch|WebGo\ IS|WebLeacher|WebReaper|WebSauger|Website\ eXtractor|Website\ Quester|WebStripper|WebWhacker|WebZIP|Web\ Image\ Collector|Web\ Sucker|Wells\ Search\ II|WEP\ Search|WeSEE|Wget|Widow|WinInet|woobot|woopingbot|worldwebheritage.org|Wotbox|WPScan|WWWOFFLE|WWW\-Mechanize|Xaldon\ WebSpider|XoviBot|yacybot|Yahoo|YandexBot|Yandex|YisouSpider|zermelo|Zeus|zh-CN|ZmEu|ZumBot|ZyBorg|Twenga|TwengaBot) ) {
return 410;

}

    location / {

            try_files $uri $uri/ =404;
    }

    location = /basic_status {
            stub_status on;
            access_log off;
            allow 127.0.0.1;
            # only allow access from 192.168.1.5 #
            allow 81.172.220.38; # Office Access #
            allow 83.128.128.103; # Home Access #
            deny all;
    }

    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    }

            ## Block SQL injections
            set $block_sql_injections 0;
            if ($query_string ~ "union.*select.*\(") {
                set $block_sql_injections 1;
            }
            if ($query_string ~ "union.*all.*select.*") {
                set $block_sql_injections 1;
            }
            if ($query_string ~ "concat.*\(") {
                set $block_sql_injections 1;
            }
            if ($block_sql_injections = 1) {
                return 403;
            }

            ## Block file injections
            set $block_file_injections 0;
            if ($query_string ~ "[a-zA-Z0-9_]=http://") {
                set $block_file_injections 1;
            }
            if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
                set $block_file_injections 1;
            }
            if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
                set $block_file_injections 1;
            }
            if ($block_file_injections = 1) {
                return 403;
            }

            ## Block common exploits
            set $block_common_exploits 0;
            if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "proc/self/environ") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "base64_(en|de)code\(.*\)") {
                set $block_common_exploits 1;
            }
            if ($block_common_exploits = 1) {
                return 403;
            }

            ## Block spam
            set $block_spam 0;
            if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
                set $block_spam 1;
            }
            if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
                set $block_spam 1;
            }
            if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
                set $block_spam 1;
            }
            if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
                set $block_spam 1;
            }
            if ($block_spam = 1) {
                return 403;
            }

            ## Block user agents
            set $block_user_agents 0;

            # Don't disable wget if you need it to run cron jobs!
            #if ($http_user_agent ~ "Wget") {
            #    set $block_user_agents 1;
            #}

            # Disable Akeeba Remote Control 2.5 and earlier
            if ($http_user_agent ~ "Indy Library") {
                set $block_user_agents 1;
            }

Common bandwidth hoggers and hacking tools.

            if ($http_user_agent ~ "libwww-perl") {
                set $block_user_agents 1;
            }
            if ($http_user_agent ~ "GetRight") {
                set $block_user_agents 1;
            }
            if ($http_user_agent ~ "GetWeb!") {
                set $block_user_agents 1;
            }
            if ($http_user_agent ~ "Go!Zilla") {
                set $block_user_agents 1;
            }
            if ($http_user_agent ~ "Download Demon") {
                set $block_user_agents 1;
            }
            if ($http_user_agent ~ "Go-Ahead-Got-It") {
                set $block_user_agents 1;
            }
            if ($http_user_agent ~ "TurnitinBot") {
                set $block_user_agents 1;
            }
            if ($http_user_agent ~ "GrabNet") {
                set $block_user_agents 1;
            }

            if ($block_user_agents = 1) {
                return 403;
            }

            ssl_certificate /etc/letsencrypt/live/www.collegiansfc.org/fullchain.pem; # managed by Certbot
            ssl_certificate_key /etc/letsencrypt/live/www.collegiansfc.org/privkey.pem; # managed by Certbot
            include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
            ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

I also do really understand what you said about merging teh two domains under a single certificate. Only I do not know how to mergw them successfully.

Thanks in advance for your advice and guidence

The process I followed was, on the web server I ran the command certbot -v. I am then prompted with all the domains that I have listed under nginx. In the list both domains are shown seperately, so option 1 is www.collegiansfc.org and option 2 is collegiansfc.org.
I went and ran the first and second options.
How can I merge the two domains under a single certificate?
Lawrence

@Bruce5051
Thanks for your advice. Thinking about what you said. ... Is it this part of my config that is causing the issue.

    if ($host = www.collegiansfc.org) {
            return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = collegiansfc.org) {
            return 301 https://$host$request_uri;
    } # managed by Certbot

How can I have them both be forced to https without changing the domain placed into the browser.
Thanks
Lawrence

Select both hostnames when asked. Or just don't enter any number at all: that way Certbot will request all available hostnames at the same time.

These two lines:

are already doing what these two sections are doing:

You don't really need to do it both ways.

@Bruce5051
I have deleted both certificates and tried to create a new certificate with both domains listed but this did not work.
I see the following.
Certificate Name: www.collegiansfc.org
Serial Number: 4a1c83c45fd693a24e37db36828d0b0aa21
Key Type: RSA
Domains: www.collegiansfc.org
Expiry Date: 2024-03-09 19:31:37+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.collegiansfc.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.collegiansfc.org/privkey.pem

but how can I add the domain collegiansgc.org to the same certificate for www.collegiansfc.org?

If I run certbot -v I do not get an option to process two domains for the same certificate.

Is there a command that I can use to add both domains to the same certificate?
Thanks
Lawrence

Why did you mark your last post as the solution?

Everyone.

Thank you for responding and providing advice.
I have now sorted this out.

I ran the following commands and it resolved my issue.
certbot delete -d www.collegiansfc.org

I then ran

certbot -d www.collegiansfc.org -d collegiansfc.org

This solved my problem.

Certificate Name: www.collegiansfc.org
Serial Number: 4d355120478065456a93781780de0c35561
Key Type: RSA
Domains: www.collegiansfc.org collegiansfc.org
Expiry Date: 2024-03-09 23:39:46+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.collegiansfc.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.collegiansfc.org/privkey.pem

Thanks again.

I solved the issue myself. So I thought I would solve it and say what I did to resolve my issue.

Lawrence