Domain and sub-domains problem

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:e-synergisud.fr

I ran this command:certbot certificates

It produced this output:

....

Certificate Name: e-synergisud.fr
Domains: e-synergisud.fr dev.e-synergisud.fr devform.e-synergisud.fr devska.e-synergisud.fr formation.e-synergisud.fr formationca.e-synergisud.fr formationgeoplc.e-synergisud.fr formationlcaffb.e-synergisud.fr orgatour.e-synergisud.fr qai.e-synergisud.fr samse.e-synergisud.fr support.e-synergisud.fr www.e-synergisud.fr
Expiry Date: 2019-07-21 19:59:33+00:00 (VALID: 16 days)
…

My web server is (include version): apache2 all updates made

The operating system my web server runs on is (include version): ubuntu 16.04 all updates made

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): lastest

Hi,

All sub-domains update their certificate automatically, but the main domain does not : I’ll get an error and I think it is due to the list of sub-domains included with the domain itself, as I can see, some of them have been removed and do no more exist (bold ones).
As each sub-domain has it’s own key, how can I set up the main domain to not look after the sub-domains ? How can I remove them for it’s definition ?

Maybe I am doing things wrong here, should I only keep the main domain, but how do I integrate new sub-domains automatically then (all sub-domains have to be HTTPS)?

Many thanks in advance for your help and advises,
WBR,
Stéphane
PS it is the first time I am using any https certification…

2

Hi @steph38

first question: What’s your vHost configuration?

What says

apachectl -S

You have different options: One certificate with a lot of domain names used by different vHosts, one certificate per vHost.

3

Hi,

Here's the result of the command :

apachectl -S
AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/consult-e-syn-le-s sl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/e-synergisud.fr/fullchain.pem' d oes not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

I would like that each site (domain or sub-domain) has it's own certificate...
Many thanks for your prompt help,
WBR
Stéphane

4

Run it as sudo or root.

5

General: Pick your list of vHosts.

Perhaps merge the list: Every combination of port and domain name should be unique.

If non-www and www use the same vHost, check, if the vHost has one domain name as ServerName, the other as ServerAlias.

Then create certificates:

certbot -d e-synergisud.fr -d www.e-synergisud.fr

certbot -d dev.e-synergisud.fr

so every vHost has it's own certificate.

In the end, the certificate with all domain names should not longer used.

Currently, you use it ( e-synergisud.fr - Make your website better - DNS, redirects, mixed content, certificates ):

CN=e-synergisud.fr
	22.04.2019
	21.07.2019
expires in 16 days	dev.e-synergisud.fr, devform.e-synergisud.fr, 
devska.e-synergisud.fr, e-synergisud.fr, formation.e-synergisud.fr, 
formationca.e-synergisud.fr, formationgeoplc.e-synergisud.fr, 
formationlcaffb.e-synergisud.fr, orgatour.e-synergisud.fr, 
qai.e-synergisud.fr, samse.e-synergisud.fr, 
support.e-synergisud.fr, www.e-synergisud.fr - 
13 entries

Then you can ignore it.

6

As an example…

If you create a certificate with:

sudo certbot --apache -d example.com -d eggs.example.com -d spam.example.com

Certbot would name it example.com and save it in /etc/letsencrypt/live/example.com/ by default.

To issue a new certificate without the name eggs.example.com and save it in the same place, you can use:

sudo certbot --apache --cert-name example.com -d example.com -d spam.example.com

It’s a bit tedious, but it only takes one command to replace the certificate with one with fewer names.

But you have to be careful not to drop anything you still need!

1 Like
7

Hi @JuergenAuer,

That's exactly what I have done but came up with a certificate for domain and all sub-domains when running it on e-synergisud.fr...

Yes I want to create a certificate for just the domain e-synergisud.fr and it's alias www.e-synergisud.fr and ignore the one with all sub-domains included, but how can this be done ?

Many thanks in advance for your help and advises,
WBR,
Stéphane

8

Hi @mnordhoff,

Thanks for that example, it is what I want to avoid as we create and delete some sub-domains very often, I'll prefer that each of the sub-domain has it's own certificate, It's in my opinion easier to manage, but maybe I am wrong...

Many thanks for your help,
WBR,
Stéphane

9

Please read my answer:

There are already the commands you need.

10

Many thanks @JuergenAuer !

If I understand right the "procedure", by creating a certificate only for the domain and it's alias with :

certbot -d e-synergisud.fr -d www.e-synergisud.fr

It will replace the one with all the sub-domains included ? Is that true ?

Thanks for your help !
WBR,
Stéphane

11

If the installation works, yes.

But all other places with the same certificate are unchanged.

Use online tools to check the result.

12

Apparently I have a problem... apache does not start...

Failed to start LSB: Apache2 web server.

Jul 08 10:20:37 localhost.localdomain systemd[1]: apache2.service: Unit entered failed state.
Jul 08 10:20:37 localhost.localdomain systemd[1]: apache2.service: Failed with result 'exit-code'.
Jul 08 10:20:37 localhost.localdomain sudo[16149]: pam_unix(sudo:session): session closed for user root
Jul 08 10:20:39 localhost.localdomain sshd[16168]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.72.254.71 user=root
Jul 08 10:20:41 localhost.localdomain sshd[16168]: Failed password for root from 61.72.254.71 port 45100 ssh2
Jul 08 10:20:41 localhost.localdomain sshd[16168]: Received disconnect from 61.72.254.71 port 45100:11: Normal Shutdown, Thank you for playing [preauth]
Jul 08 10:20:41 localhost.localdomain sshd[16168]: Disconnected from 61.72.254.71 port 45100 [preauth]
Jul 08 10:20:45 localhost.localdomain ntpd[835]: Soliciting pool server 2001:67c:1560:8003::c7
Jul 08 10:20:51 localhost.localdomain sshd[16170]: Invalid user spark from 193.70.87.215
Jul 08 10:20:51 localhost.localdomain sshd[16170]: input_userauth_request: invalid user spark [preauth]
Jul 08 10:20:51 localhost.localdomain sshd[16170]: pam_unix(sshd:auth): check pass; user unknown
Jul 08 10:20:51 localhost.localdomain sshd[16170]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.70.87.215
Jul 08 10:20:53 localhost.localdomain sshd[16170]: Failed password for invalid user spark from 193.70.87.215 port 43003 ssh2
Jul 08 10:20:53 localhost.localdomain sshd[16170]: Received disconnect from 193.70.87.215 port 43003:11: Bye Bye [preauth]
Jul 08 10:20:53 localhost.localdomain sshd[16170]: Disconnected from 193.70.87.215 port 43003 [preauth]

@JuergenAuer have you any idea, suggestion ?
Many thanks for your help and advises,
WBR,
Stéphane

13

Certbot created a entry like this : Certificate Name: e-synergisud.fr-0001 with the command you gave me.
After that I deleted the one with all sub-domains listed…

Restarted Apache server and the above mentioned error came out…
Again many thanks for your help,

WBR,
Stéphane

14

Why do you delete certificates Apache is using?

That's the reason Apache doesn't start. Now you have created a mess.

15

@JuergenAuer,

I agree I have a mess, but why creating separate certificates for all domain and sub-domains and at the end using the one who has all them in one certificate ?
Have I missed something ?

How can I resolve my problem now ?
Thanks in advance for your help and advises,
WBR,
Stéphane

16

Can I recreate the Apache config with :

sudo certbot --apache

command ?

Or should I go backwards and reedit all hosts to be as http: and then re-run the certbot certifications ?
Thanks in advance for your help and advises,
WBR,
Stéphane

17

Or maybe use Matt's @mnordhoff command to recreate the whole certification ?

Thanks for your help and advises,
WBR,
Stéphane

18

???

Please learn the basics about Apache configurations.

https://httpd.apache.org/docs/

Then learn the basics about Letsencrypt.

19

@JuergenAuer

I understand what you mean... maybe I'm not that fluent in English as I thought...

My site were on production, I am looking for a solution to get them online again, if I could find a quick one, great, if not let's go and put the hand into the mud... but, just, I do not know how I could do it and that's were I need your gentle help if you don't mind.

To review what I have :

  • Each domain or sub-domain has it's own certificate
    I have run the command : sudo apachectl -t and got as a result following :

AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/dev-e-syn-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/e-synergisud.fr/fullchain.pem' does not exist or is empty

edited the concerned file and added the "-0001" (own certificate name e-synergisud.fr-0001) in the links.

This does not resolve my problem...

What is exactly my problem ?

Many thanks for your help and advises,
WBR,
Stéphane

20

The command

sudo certbot certificates
returned :
Found the following certs:
Certificate Name: consultant.e-synergisud.fr
Domains: consultant.e-synergisud.fr
Expiry Date: 2019-09-18 20:46:03+00:00 (VALID: 72 days)
...
Certificate Name: dev.e-synergisud.fr
Domains: dev.e-synergisud.fr
Expiry Date: 2019-09-18 20:46:14+00:00 (VALID: 72 days)
...
Certificate Name: devform.e-synergisud.fr
Domains: devform.e-synergisud.fr
Expiry Date: 2019-09-18 20:46:27+00:00 (VALID: 72 days)
...
Certificate Name: devska.e-synergisud.fr
Domains: devska.e-synergisud.fr
Expiry Date: 2019-09-18 20:46:38+00:00 (VALID: 72 days)
...
Certificate Name: e-synergisud.fr-0001
Domains: e-synergisud.fr www.e-synergisud.fr
Expiry Date: 2019-10-06 07:06:25+00:00 (VALID: 89 days)
...
Certificate Name: formation.e-synergisud.fr
Domains: formation.e-synergisud.fr
Expiry Date: 2019-09-18 20:46:50+00:00 (VALID: 72 days)
...
Certificate Name: qai.e-synergisud.fr
Domains: qai.e-synergisud.fr
Expiry Date: 2019-09-18 20:47:29+00:00 (VALID: 72 days)
...
Certificate Name: support.e-synergisud.fr
Domains: support.e-synergisud.fr
Expiry Date: 2019-09-28 19:45:28+00:00 (VALID: 82 days)

So, each domain, sub-domain has it's own certificate
I've corrected the path in the file where I got the error :

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/e-synergisud.fr-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/e-synergisud.fr-0001/privkey.pem

But Apache does still not start...

Forgot to say that each domain, sub-domain has it's own virtual host file for SSL automatically created by certbot.

What am I missing ?

Thanks in advance for your help and advises,
WBR,
Stéphane