This is not what i see. I flying right now. Will look. Some More in morning. If I want to use ssl on my mail server I assume I should add that domain to. Vhosts file?
OK real keyboard and monitor.
here is my https-vhosts.conf
#Listen 80
<VirtualHost *:80>
ServerAdmin admin@theoceanwindow.com
DocumentRoot "/usr/local/www/kasdivi.com"
ServerName kasdivi.com
ServerAlias www.kasdivi.com
<Directory "/">
Allow from all
AllowOverride All
Options Indexes FollowSymLinks Includes
Require all granted
</Directory>
ErrorLog "/var/log/httpd-error.log"
CustomLog "/var/log/kasdivi.com-access.log" common
Redirect permanent / https://kasdivi.com/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin admin@theoceanwindow.com
DocumentRoot "/usr/local/www/kasdivi.com"
<Directory "/">
Allow from all
AllowOverride All
Options Indexes FollowSymLinks Includes
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pe
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.p
#SSLCertificateChainFile /etc/ssl/certs/ca_bundle.crt
ServerName kasdivi.com
ServerAlias www.kasdivi.com
ErrorLog "/var/log/httpd-error.log"
CustomLog "/var/log/kasdivi.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin admin@theoceanwindow.com
DocumentRoot "/usr/local/www/theoceanwindow.com"
ServerName theoceanwindow.com
ServerAlias www.theoceanwindow.com
<Directory "/">
Allow from all
AllowOverride All
Options Indexes FollowSymLinks Includes
Require all granted
</Directory>
ErrorLog "/var/log/httpd-error.log"
CustomLog "/var/log/theoceanwindow.com-access.log" common
Redirect permanent / https://theoceanwindow.com/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin admin@theoceanwindow.com
DocumentRoot "/usr/local/www/theoceanwindow.com"
ServerName theoceanwindow.com
ServerAlias www.theoceanwindow.com
<Directory "/">
Allow from all
AllowOverride All
Options Indexes FollowSymLinks Includes
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/fullchain.pem
SSLCertificateKeyFile /etc/ssl/certs/privkey.pem
#SSLCertificateChainFile /etc/ssl/certs/ca_bundle.crt
</VirtualHost>
That looks better except somewhere there is a new problem for theoceanwindow. HTTP requests redirect to HTTPS just like shown in that VirtualHost. That is expected.
But, HTTPS requests fail with a 403. Even for your "home" page. I don't see any reason for that in the VirtualHost you show. Do you know why those requests all fail with "403 Forbidden"? If not, setup an ErrorLog in the port 443 VirtualHost for theoceanwindow like you have for port 80. Give it a unique name.
# Sample ACME Challenge should fail with 404 error (not 403)
curl -ik https://theoceanwindow.com/.well-known/acme-challenge/Test404
HTTP/1.1 403 Forbidden
Server: Apache
# Home page also fails same 403
curl -ik https://theoceanwindow.com
HTTP/1.1 403 Forbidden
Server: Apache
# Sample ACME Challenge to kasdivi domain
# Gets 404 Not Found as expected
# Something affects theoceanwindow that isn't in VirtualHost
# The VirtualHost for kasdivi and it are nearly identical
curl -ik https://kasdivi.com/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
Server: Apache
What does this show
sudo ls -l /usr/local/www
1 Like
I asked this earlier but are you sure the different IP addresses you have in the DNS for these two domains lead to this same Apache?
theoceanwindow.com. 60 IN A 209.160.64.187
kasdivi.com. 60 IN A 209.160.65.133
And, if so, why do you even have two different IP?
1 Like
In assumption that it would help spread the workload. Ts configuration worked until I screwed up deletin domains. (wandjbrewers.com)
Found an error is server configuration
under Apache 2,2
> Allow from all
AllowOverride All Options Indexes FollowSymLinks Includes
Under Apache 2.4
> Allow from all
AllowOverride All Options Indexes FollowSymLinks Includes Require all granted
403 error solved.
Alright. Try this again and show result
sudo certbot certonly --webroot -w /usr/local/www/theoceanwindow.com -d theoceanwindow.com -d www.theoceanwindow.com --deploy-hook "apachectl restart"
1 Like
Thie worked pretty good
Hook 'deploy-hook' ran with error output:
Syntax OK
Syntax OKSuccessfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/theoceanwindow.com/fullchain.pem
Key is saved at: /usr/local/etc/letsencrypt/live/theoceanwindow.com/privkey.pem
This certificate expires on 2025-06-23.
These files will be updated when the certificate renews.
The hook error might just new FreeBSD 14.2 thing
Not an error. We used that earlier too. See:
Now, change the two SSL Certificate lines for your oceanwindow domain to look like these. Just change the two lines (and remove the commented out line for "ChainFile")
<VirtualHost *:443>
(...)
ServerName theoceanwindow.com
ServerAlias www.theoceanwindow.com
(...)
SSLCertificateFile /usr/local/etc/letsencrypt/live/theoceanwindow.com/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/theoceanwindow.com/privkey.pem
</VirtualHost>
Then reload Apache
1 Like
I see you got a fresh cert for oceanwindow so just a couple things to clean up.
First, show output of this. Just want to make sure you don't have any stray certificate profiles that would interfere with successful renewal.
sudo certbot certificates
1 Like
Looks great. !!
I am still a little wheen I do a ssl check on mail.theoceanwindow.com I get the following analysis
Common name: kasdivi.com
SANs: kasdivi.com, www.kasdivi.com
Valid from March 23, 2025 to June 21, 2025
Serial Number: 057998e28b427f2577f6daf4b3eed9c04cb2
Signature Algorithm: ecdsa-with-SHA384
Issuer: E6
am I mixing apples and oranges?
You do not yet have a certificate for your mail subdomain. We haven't yet finished fixing your other two domains. What was the entire output of
sudo certbot certificates
2 Likes
Found the following certs:
Certificate Name: kasdivi.com-0001
Serial Number: 5fa0f839f747347a9e52d2519904f22b986
Key Type: ECDSA
Domains: kasdivi.com theoceanwindow.com
Expiry Date: 2025-06-14 13:22:00+00:00 (VALID: 78 days)
Certificate Path: /usr/local/etc/letsencrypt/live/kasdivi.com-0001/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/kasdivi.com-0001/privkey.pem
Certificate Name: kasdivi.com-0002
Serial Number: 6b3638634bca1bbb99d6ad123d3532ed5bc
Key Type: ECDSA
Domains: kasdivi.com
Expiry Date: 2025-06-17 16:14:19+00:00 (VALID: 81 days)
Certificate Path: /usr/local/etc/letsencrypt/live/kasdivi.com-0002/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/kasdivi.com-0002/privkey.pem
Certificate Name: kasdivi.com
Serial Number: 57998e28b427f2577f6daf4b3eed9c04cb2
Key Type: ECDSA
Domains: kasdivi.com www.kasdivi.com
Expiry Date: 2025-06-21 17:45:55+00:00 (VALID: 85 days)
Certificate Path: /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pem
Certificate Name: theoceanwindow.com
Serial Number: 528653f62aea81259b2019ba3cc1ea6b4e6
Key Type: ECDSA
Domains: theoceanwindow.com www.theoceanwindow.com
Expiry Date: 2025-06-23 18:15:23+00:00 (VALID: 87 days)
Certificate Path: /usr/local/etc/letsencrypt/live/theoceanwindow.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/theoceanwindow.com/privkey.pem
Thanks for all teatime and effort.
1 Like
We need to delete these two certificate profiles. Otherwise Certbot will try to renew them "forever".
Run these commands.
sudo certbot delete --cert-name kasdivi.com-0001
sudo certbot delete --cert-name kasdivi.com-0002
After that, run the below command and show the output. This is just a test. It will not affect your existing production certs
sudo certbot renew --dry-run
2 Likes
thanks again. was wonderiibng about the proper way of doing this
results
Simulating renewal of an existing certificate for theoceanwindow.com and www.theoceanwindow.com
Congratulations, all simulated renewals succeeded:
/usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem (success)
/usr/local/etc/letsencrypt/live/theoceanwindow.com/fullchain.pem (success)
1 Like
I assume that if I add mail.kasdivi.com and mail.theoceanwindow.com tp the 443 sections of my Vhosts.conf?
Usually mail subdomains need their own configuration. You are probably better off having new VirtualHosts for them anyway as well as whatever other configuration your mail system requires.
You haven't explained anything about your mail system so more detailed info from you is required to give specific advice.
I am not a mail system expert so maybe some other volunteer would help you with that. They will need more info anyway so you should start with that.
I see from your history on this forum that you have frequent problems over several years. You have had 9 separate threads and over 100 posts. That is a lot. Many of the problems you have are similar. You might consider using a different hosting service that manages these technical details for you. That would allow you to focus on the content of your sites. Perhaps a Wordpress hosting service or something like wix.com
2 Likes
ok I will go away. I did these site as a learning and to keep my mind active
I apologize
No need to apologize. We are unpaid volunteers offering help. In your case I thought the best help was to suggest a different solution entirely.
You are perfectly fine to continue asking for help here. Personally I have reached my limit in this thread. But, perhaps others will help.
1 Like
thankls again for all you help.
I had this all working with more domains. the same was inflicted with cutting back
good luck to you
Well, when you showed your configuration on post #10 it only had the above VirtualHosts and those domains.
I helped you setup a reliable system for getting the cert for those domains and renewing them.
That is all working.
If more needs to be working it would have been helpful to say so earlier.
As I said just before, you need to provide more info about your "mail" subdomains and maybe someone can help you.
2 Likes