Did not create a certificate for www

charveyjr · December 30, 2020, 2:00am

My domain is: smarthomeliving.org

I ran this command: sudo certbot --apache

It produced this output: certificate created

My web server is (include version):Debian 9 stretch

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Google Cloud

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No SSH

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I created a certificate for smarthomeliving.org but I did not create a cert for www.smarthomeliving.org

schoen · December 30, 2020, 2:05am

Hi @charveyjr,

The names suggested by certbot --apache depend on the names on your existing Apache VirtualHosts in your existing Apache configuration. If you don't have a ServerAlias for the www version of the name, Certbot won't realize that you would need that alias on your certificate.

If you add the appropriate ServerAlias to the relevant VirtualHost and then run Certbot again, you should be able to get a certificate for both names.

rg305 · December 30, 2020, 2:33am

Perhaps your wordpress also needs to understand that the site has two names (one with and one without the www).

http domain returns with:
HTTP/1.1 301 Moved Permanently - Location: https://smarthomeliving.org/
<p>The document has moved <a href="https://smarthomeliving.org/">here</a>.</p>
http www.domain returns with:
lots of content - a web page
https domain returns with:
lots of content - a secure web page
https www.domain returns with:
SSL ERROR - www name not in cert used.
But if you ignore the error message and continue...
You get lots of content - a insecure/secure web page

#1 is OK (redirects to #3)
#2 should redirect to HTTPS #4
#3 is where you want all to go - as this is the only GOOD and working secure site
#4 should redirect to #3 - but first needs its' name included in the cert

To fully correct this, you will need:

a cert with both names on it.
but that depends on the wordpress/apache configuration (as noted by @schoen)
proper redirection - you need to decide which will be the main site (with or without the www) and redirect the other three to that one.

charveyjr · December 30, 2020, 2:52am

I am working in Google Cloud. Do i need to remove certbot and then reinstall?

Or is there a file within SSH I need to change?

rg305 · December 30, 2020, 3:01am

The site shows WordPress.
I would assume you can make the changes within that.

schoen · December 30, 2020, 5:45am

I was assuming you would edit your Apache configuration files with a text editor (accessed over SSH) because that's the classic way of configuring Apache if you're using the command line to administer a server. But if WordPress is able to make equivalent configuration changes for you somehow, as @rg305 suggests, that sounds great.

charveyjr · December 30, 2020, 10:32am

Thanks

I went to /var/www/html/ and I looked at index.php and wp_config.php. There was nothing in these files that looked like where I add my www web address.

Osiris · December 30, 2020, 2:25pm

How do you manage/configure your Apache? I.e., how did you install your Wordpress site?

Also, could you paste the output of apachectl -S ?

charveyjr · December 31, 2020, 6:21am

I manage Apache though the SSH in the Google Cloud Console..

Installed wordpress through the Google Cloud implementation.

$ apachectl -S
-bash: apachectl: command not found

Osiris · December 31, 2020, 7:00am

Hmm, you're not using the Bitnami software stack by any chance?

charveyjr · December 31, 2020, 9:53pm

No, I had a hard time working with Bitnami

sahsanu · December 31, 2020, 12:38pm

Execute the command as root or use sudo.

charveyjr · December 31, 2020, 7:05pm

sudo apachectl -S
VirtualHost configuration:
*:443 smarthomeliving.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 smarthome-1-vm.us-central1-f.c.smarthomeliving.internal (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

rg305 · December 31, 2020, 10:53pm

That seems to be lacking:

The port 80 vhost config for SmartHomeLiving.org
The www ServerAlias for both 80 and 443

Seeing that the 443 is using the same named file (with -le-ssl), it would indicate that the name "SmartHomeLiving.org" did appear in that port 80 vhost config at the time LE was run.
Since then things have been changed (but have not made things better).

You need to have a working port 80 vhost config for both names.
You need to get a cert with both names on it.
[you can check which cert names you have covered now with: cerbot certificates]
You need to redirect three of the four sites to the one final destination.
Then you need to check that the renewals are functional with:
certbot renew --dry-run

Then you will certainly have a Happy New Year!
Cheers from Miami