Having trouble requesting certificates for multiple virtual hosts

I have an Apache2 webserver running on Ubuntu 16.04. After reading the documentation, I had successfully setup an SSL certificate on one of my websites using certbot.

My Apache server server several virtual websites from separate directories. An example of my site/drive layout is:

www.example.com” is located in folder “/data/web/www.example.com”
site2.example.com” is located in folder “/data/web/site2.example.com”
site3.example.com” is located in folder “/data/web/site3.example.com”

I created a “/data/web/www.example.com/.well-known/acme-challenge” folder and made sure that apache would serve a document placed there. I successfully received a certificate for www.example.com using the following command:

certbot certonly --webroot -w /data/web/www.example.com -d www.example.com

*Note - I had to run the command from the folder “/data/web/www.example.com” for it to work! That wasn’t in the documentation anywhere.

After doing this, I wanted to add the other subdomains but keep getting errors. Since each of these subdomains exists in separate locations, I made a symbolic link in each of their root directories to “/data/web/www.example.com/.well-known”. I made sure apache would serve the test file again in one of the subdomains. Then I ran the following command from in the “/data/web/www.example.com” folder:

certbot certonly --webroot -w /data/web/www.example.com -d example.com -d www.example.com -d site2.example.com -d site3.example.com

No luck. I get the following output for each subdomain:

Domain: site2.example.com
Type: tls
Detail: Fetching
local error: tls: no renegotiation

What am I doing wrong?

Ok. I was wrong in my first post… you do not have to run the certbot command from the webroot directory. But you do have to make sure that your virtualhost conf file is NOT set to rewrite requests received on http to https.

I originally had my sites using a self-signed ssl certificate. It never dawned on me that the entire webroot validation is done over standard http (theoretically you wouldn’t have ssl at this point).

Everything is working now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.