Help! SSL put on domain.com and www.domain.com


#1

Hello, thanks for reading.

I had LetsEncrypt installed successfully today on two domains: ajob.com and allhotels.com.

They were fine in Chrome and Safari.

The day took a turn for the worse with Mozilla. For some reason, it worked fine on https://ajob.com and https://allhotels.com.

But www.ajob.com and www.allhotels.com … and yes, I had Virtual Host file at Digital Ocean redirecting to https://

I got greedy and tried to fix by installing LetsEncrypt SSL on the www.ajob.com … and guess what POW all my sites are now completely wrecked!!

What a day!!!

Oh and by the way it says the SSL is perfect on the letsencrypt checker.

I’m thinking I will destroy this droplet and relaunch it… but I need help from LetsEncrypt community – how do I destroy the old SSLs?

If you could help, I’d be very grateful.


#2

Can I hire someone from the community? This is very stressful working at the command line, non-coder here.


#3

Hi @LinkOrchard,

You have issued 4 certificates:

1 covering only ajob.com
1 covering only www.ajob.com
1 covering only allhotels.com
1 covering only www.allhotels.com

As an example:
https://www.ajob.com and https://ajob.com are using the same certificate but that certificate is only valid for www.ajob.com so if you try to reach it using https://anon.com you will get an error in your browser.

You need to configure your apache to serve the right cert for every of your domains.

Also, you have a wrong redirection so your domains are being redirecting in an endless loop:

$ curl -ikL https://ajob.com
HTTP/1.1 302 Found
Date: Tue, 05 Sep 2017 16:35:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: https://ajob.com/
Content-Length: 276
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Tue, 05 Sep 2017 16:35:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: https://ajob.com/
Content-Length: 276
Content-Type: text/html; charset=iso-8859-1
[Looping...]
curl: (47) Maximum (50) redirects followed

If you issued your certificates with certbot please show the output of this command:

certbot certificates

If you used certbot-auto:

certbot-auto certficates

Also, show the conf of your VirtualHost in Apache.

Cheers,
sahsanu


#4

Sahsanu,

Thanks for getting back to me.

It says I have a cert in ajob.com, www.ajob.com, and allhotels.com

But not www.allhotels.com

Here is ajob.com.conf

Redirect / https://ajob.com/
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin beaker@coalbucket.net
ServerName ajob.com
ServerAlias www.ajob.com
DocumentRoot /var/www/ajob.com/public_html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.ajob.com [OR]
RewriteCond %{SERVER_NAME} =ajob.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Redirect / https://ajob.com

==================================
Here is allhotels.com.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin beaker@coalbucket.net
ServerName allhotels.com
ServerAlias www.allhotels.com
DocumentRoot /var/www/allhotels.com/public_html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =allhotels.com [OR]
RewriteCond %{SERVER_NAME} =www.allhotels.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Redirect / https://allhotels.com/

vim: syntax=apache ts=4 sw=4 sts=4 sr noe

=================================
I created www.ajob.com.conf but I deleted it as it didn’t fix the problem, and I had to lash out at something lol


#5

Honestly this was perfect in Chrome and Safari – why did I not just leave Mozilla…oh to go back a few hours! lol


#6

Yes, my bad, I just checked ajob.com and www.ajob.com so I supposed allhotels.com was the same. Anyway, please, paste the output of the command.

Wow, how many redirects, if you only want to redirect www and non-www domain to https://ajob.com you need this (keep in mind that I’ve added a missing trailing / to your Redirect directive)

Redirect permanent / https://ajob.com/

If you want to redirect http://www.ajob.com to https://www.ajob.com and http://ajob.com to https://ajob.com then leave it like this (removing the last redirect):

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.ajob.com [OR]
RewriteCond %{SERVER_NAME} =ajob.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

and you need to do the same for allhotels.com

Also, you are not showing the important part, the SSL conf for your domains the conf files that should start with <VirtualHost *:443>.

Cheers,
sahsanu


#7

If it was not working in Firefox it was not working in Chrome :stuck_out_tongue:. The thing is that Chrome tries to fix common issues like, I’m accesing domain wwww.domain.com and the cert is only valid for domain.com so lets try to access domain.com instead of www.domain.com :wink:


#8

That makes sense. I took a break and I’m on it now. But do I need to delete the SSL for www.ajob.com?

I will paste what it says from the command. Thank you for your help.


#9

sudo certbot certificates produces the following:

Found the following certs:
Certificate Name: ajob.com
Domains: ajob.com
Expiry Date: 2017-12-04 13:50:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ajob.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ajob.com/privkey.pem
Certificate Name: www.ajob.com
Domains: www.ajob.com
Expiry Date: 2017-12-04 14:39:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.ajob.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.ajob.com/privkey.pem
Certificate Name: allhotels.com
Domains: allhotels.com
Expiry Date: 2017-12-04 13:53:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/allhotels.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/allhotels.com/privkey.pem


#10

Action - tonight I’m starting to remove those SSLs.

It seemed like a good idea at the time :smiley:

//brings up a list of SSLs and then you pick one to delete
sudo certbot delete

The problem is, the SSL still exists. Only in IT could you delete something, but now it exists more than ever lol


#11

@LinkOrchard,

There was no need to delete certificates. Your issue is an Apache configuration problem.

I’m still waiting for the SSL conf sections of your domains (you have a redirection loop problem yet).

Cheers,
sahsanu


#12

Hey @sahsanu – I destroyed the droplet connected with these domains as the apache got corrupted. Thanks for your help, unfortunately we are back to drawing board … CNAME was a problem as it had an alias from www.ajob.com to ajob.com lol with SSL on www.ajob.com … thanks again


#13

@sashanu as the cert is ok on www.ajob.com I am thinking: CNAME - we need to make ajob.com an alias of www.ajob.com rather than the other way around…I am wondering what you think about that?


#14

Hi @LinkOrchard,

A CNAME is just a DNS record saying:

You are trying to get the ip of domain www.ajob.com but I don’t have an A record so as I’m a CNAME I can tell you that to get the ip of www.ajob.com you need to check ajob.com,

It is not related to your SSL nor redirection issues, indeed I don’t know why you want a CNAME, just create 2 A records, 1 for ajob.com and 1 for www.ajob.com pointing to your server IP address.

Note: Right now there aren’t A, CNAME, NS, MX, nor any records for your domain ajob.com, maybe you are recreating them…

Also, if you plan to access your domain using https://www.ajob.com or https://ajob.com then you need 1 certificate for www.ajob.com and 1 certificate for ajob.com OR 1 certificate covering both domains.

Cheers,
sahsanu


#15

Ok…thanks @sahsanu – yes I am pausing on ajob.com ANAME + CNAME till I figure it out …
but when I check SSL on ajob.com – it says it is part of www.ajob.com – it’s not possible to have two certs like this… it’s just one cert currently on www.ajob.com as this is the second one to be created … this link shows whats happening at the LetsEncrypt end…
https://www.ssllabs.com/ssltest/analyze.html?d=ajob.com&latest

says it part of www.ajob.com


#16

Yes @sahsanu the cert on www.ajob.com covers ajob.com … thanks again.


#17

Maybe you have created a new cert just a couple of hours ago covering both domains but till now, your certs are covering only one domain:

CRT ID     DOMAIN (CN)   VALID FROM              VALID TO               EXPIRES IN  SANs
204952131  ajob.com      2017-Sep-06 02:24 CEST  2017-Dec-05 01:24 CET  89 days     ajob.com
204721512  www.ajob.com  2017-Sep-05 16:39 CEST  2017-Dec-04 15:39 CET  89 days     www.ajob.com
204706513  ajob.com      2017-Sep-05 15:50 CEST  2017-Dec-04 14:50 CET  89 days     ajob.com

As your domain doesn’t have any IP associated now, it is not possible to check that link.

Cheers,
sahsanu


#18

I’d suggest two sets of certs, and to do things yourself. First cert:

certbot certonly --rsa-key-size 4096 --must-staple --webroot -w /path/to/webroot -d ajob.com -d www.ajob.com

Of course where /path/to/webroot is the full path, such as /var/www/ajob or /srv/http/ajob. Second:

certbot certonly --rsa-key-size 4096 --must-staple --webroot -w /path/to/other -d allhotels.com -d www.allhotels.com

Then you just need a simple config for Apache:

#Enable several nice options
Protocols h2 http/1.1
ProtocolsHonorOrder On
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" #after setup is working go to https://hstspreload.org/ and don't worry about man-in-the-middle attacks
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
SSLUseStapling on #this and the one before are the --must-staple, without it certs *will* fail
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
#Redirect from http to https
<VirtualHost *:80>
    ServerName ajob.com
    ServerName www.ajob.com
    Redirect permanent / https://ajob.com/
</VirtualHost>
<VirtualHost *:80>
    ServerName allhotels.com
    ServerName www.allhotels.com
    Redirect permanent / https://allhotels.com/
</VirtualHost>

#redirect away from www
<VirtualHost *:443>
    ServerName www.ajob.com
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/ajob.com/cert.pem"
    SSLCertificateChainFile "/etc/letsencrypt/live/ajob.com/chain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/ajob.com/privkey.pem"
    Redirect permanent / https://ajob.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName www.allhotels.com
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/allhotels.com/cert.pem"
    SSLCertificateChainFile "/etc/letsencrypt/live/allhotels.com/chain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/allhotels.com/privkey.pem"
</VirtualHost>

#This is where the site is actually loaded from
<VirtualHost *:443>
    ServerName ajob.com
    SSLEngine on
    SSLCertificateFIle "/etc/letsencrypt/live/ajob.com/cert.pem"
    SSLCertificateChainFile "/etc/letsencrypt/live/ajob.com/chain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/ajob.com/privkey.pem"
    DocumentRoot /path/to/webroot
</VirtualHost>
<VirtualHost *:443>
    ServerName allhotels.com
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/allhotels.com/cert.pem"
    SSLCertificateChainFile "/etc/letsencrypt/live/allhotels.com/chain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/allhotels.com/privkey.pem"
    DocumentRoot /path/to/other
</VirtualHost>

Make sure I didn’t make any typos, and make sure to change /path/to/webroot and /path/to/other in both the command and the Apache config.

IMPORTANT: If you plan on using these certs on a mailserver, remove the --must-staple from the commands (the server setup is fine, you have no reason not to staple).

After this remove any of the old certs you no longer need, and you should be setup correctly.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.