Help on current configuration

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: datastore.ro

I ran this command: https://check-your-website.server-daten.de/?q=datastore.ro

It produced this output: See the output

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

As you can see in the picture only www.datastore.ro has a certificate, but not datastore.ro
How can I add it so that I have both covered ?
Thank you.

I’m seeing that https://datastore.ro and https://www.datastore.ro are both providing valid HTTPS certificates and behaving correctly. Perhaps ask the people who run that check-your-website service what’s going on?

Hi @womble

where do you see that? Tested offline - same result:

D:\temp>download https://datastore.ro/ -h
SystemDefault
SSL error: RemoteCertificateNameMismatch
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
x-xss-protection: 1; mode=block
X-Frame-Options: sameorigin
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 233
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 26 Mar 2020 07:35:14 GMT
Location: https://www.datastore.ro/
Server: Apache

Status: 301 MovedPermanently

852,35 milliseconds
0,85 seconds

Hi @letsencryptdeb

read your complete output: Your certificate

CN=www.datastore.ro
	25.03.2020
	23.06.2020
expires in 89 days	www.datastore.ro - 1 entry

has only one domain name. Create one certificate with both domain names.

But there is one:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-03-25 2020-06-23 www.datastore.ro - 1 entries duplicate nr. 2
Let’s Encrypt Authority X3 2020-03-19 2020-06-17 www.datastore.ro - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-03-05 2020-06-03 www.datastore.ro - 1 entries
Let’s Encrypt Authority X3 2020-03-05 2020-06-03 www.datastore.ro - 1 entries
Let’s Encrypt Authority X3 2020-03-05 2020-06-03 www.datastore.ro - 1 entries
Let’s Encrypt Authority X3 2020-03-05 2020-06-03 www.datastore.ro - 1 entries
Let’s Encrypt Authority X3 2020-03-05 2020-06-03 www.datastore.ro - 1 entries
Let’s Encrypt Authority X3 2020-03-05 2020-06-03 datastore.ro, www.datastore.ro - 2 entries

Find that with two domain names and use it. It’s created 2020-03-05, so you can use it.

PS: @letsencryptdeb

That’s

Warning: HSTS preload sent, but not in Preload-List. Never send a preload directive if you don’t know what preload means. Check https://hstspreload.org/ to learn the basics about the Google-Preload list. If you send a preload directive, you should immediately add your domain to the HSTS preload list via https://hstspreload.org/ . If Google accepts the domain, so the status is “pending”: Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version. So you will see this message some months. If you don’t want that or if you don’t understand “preload”, but if you send a preload directive and if you have correct A-redirects, everybody can add your domain to that list. Then you may have problems, it’s not easy to undo that. So if you don’t want your domain preloaded, remove the preload directive.

bad. Sending a preload directive without knowing what that means is wrong.

1 Like

Hi JuergenAuer,

Where do I find that certificate?
How can I use it?
Do I have to run
sudo certbot --apache -d datastore.ro -d www.datastore.ro to correct this?

I have some other services that uses the current certificate. Does changing/adding a new certificate will impact those services?

Thank you

May be the easiest solution.

show us any files in /etc/apache2/sites-enabled

(use ``` before and after each file, on a line by themselves)

Read your output. You have an installed certificate. And you have Grade A, so you have complete working redirects.

You don’t need Certbot let create redirects if you have already redirects.

Thank you JurergenAuer for your answer.
I was concerned that there may be issues after the 90 days when the certificates have to renew.

I’m trying to address every issue from the report. I’m a beginner with working with certificates.
I now try to do the GZIP issue and I could not find a working source.

Can somebody point me to a working source?
I tried at least 5 different suggestions and none of them work.
Is this because of the http2 or it is something else?
I have apache2 and got that AddOutputFilterByType is deprecated and someother solution should be used, but I found no working examples.

Thank you all.

Please do the above action.

Do you know what’s your exact apache version?
Try to run httpd -v to find out.

From: https://stackoverflow.com/questions/5230202/apache-addoutputfilterbytype-is-deprecated-how-to-rewrite-using-mod-filter

AddOutputFilterByType had severe limitations in httpd-2.2 so it was marked deprecated there. But in httpd-2.4 this directive was moved to filter_module , corrected and un-deprecated.
In apache 2.2 you should instead enable filter_module and deflate_module and use:

Thank you

I have Apache 2.4.29

You should be able to setup GZip for Apache 2.4.29.
What’s the command you used? Are you trying to setup it for virtual host level or web server level?

Have you tried https://knackforge.com/blog/karalmax/how-enable-gzip-compression-apache.html ?

Thank you

I don’t know which one is a better approach. As long as it compresses the html content and I get rid of the pink line from the picture I posted earlier, I’m good with any of the two.

I actually tried this https://knackforge.com/blog/karalmax/how-enable-gzip-compression-apache.html
and did not work.

Thank you.

What’s the output?
(and how did you implemented that?)

If you give me 5 minutes , I try again and let you know the results.
I do not have https.conf. Instead I have apache2.conf
I did the settings in apache2.conf

I do not have /etc/httpd/conf/httpd.conf
I put everything in /etc/apache2/apache2.conf

OK. So I did what I said above and added the code below into my .htaccess file in the root folder
<Directory /var/www/html/>

AddType application/x-javascript .js
AddType text/css .css


AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/plain text/xml application/javascript

BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html


Header append Vary User-Agent env=!dont-vary

By the way.
Should the code below be insert in only in virtual host on port 80 or only in virtual host 443 or in both of them?

<Directory /var/www/html/>
   <IfModule mod_mime.c>
	AddType application/x-javascript .js
	AddType text/css .css
   </IfModule>
   <IfModule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/plain text/xml application/javascript
	<IfModule mod_setenvif.c>
		BrowserMatch ^Mozilla/4 gzip-only-text/html
		BrowserMatch ^Mozilla/4.0[678] no-gzip
		BrowserMatch bMSIE !no-gzip !gzip-only-text/html
	</IfModule>
    </IfModule>
    Header append Vary User-Agent env=!dont-vary
</Directory>

Htaccess should be added in your document root , /var/www/html.

You can insert that to port 443 configuration first… since port 80 is plain redirect.

By the way, did you restart your web server after adding the changes?

Thank you

  1. yes I put the .htaccess file in /var/www/html
  2. I put the code only in virtualhost 443
    The same result
    yes. I restarted the server.

Thank you

It seems that is an issue with http2 according to this https://github.com/icing/mod_h2/issues/143