Help with mapped domain with valid SSL

My domain is:

It produced this output:
this connection is not a private

My web server is:
Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is:
Ubuntu 18.04.5 LTS

I can login to a root shell on my machine:

The version of my client is
certbot 1.31.0

I'm mapping this domain to this ip server XX.XXX.XX which has a valid wildcard SSL issued by LetsEncrypt for the main domain and the subdomain

my question: is it possible to serve the mapped domain: with that Wildcard SSL? how can I achieve?

thank you

Hello @Mtrf3, welcome to the Let's Encrypt community. :slightly_smiling_face:

I believe you will need to use the DNS-01 ACME v2 Challenge Types - Let's Encrypt

Here is a list of issued certificates for |, the most recent being 2022-10-03.
I do not see any certificates issued by Let’s Encrypt.

1 Like

Redirections don't change the request name.
The cert must contain the name requested. <> [FAIL] <> [FAIL]


So @rg305 if I understand correctly they will need a New Wildcard Certificate with the domain names of the present Wildcard Certificate and added to that the additional domain name, for a New Wildcard Certificate.

1 Like

SNI allows for one IP to serve many names.
[those names don't all have to be in a single cert]
Weebly would have to obtain a cert that covers the new name being sent to them:


Hadn't known that they were a web hosting company, I assumed that @Mtrf3 also had those domain names too. My bad. :slightly_frowning_face:


@rg305 we are already using DNS challenge with:

certbot certonly --cert-name --manual --preferred-challenges dns -d ",*" --deploy-hook "apachectl -k graceful"

We are hosting one website under the subdomain name: that matches our wildcard SSL.

now we have created a CNAME , and the custom domain has created an A record for and point it to our server

please correct if i'm wrong, we need to obtain a new SSL cert for the new domain name

The cert presented must match the requested name.
CNAMEs only redirect one DNS name to another.
DNS only resolves names to IPs.
So, using a CNAME just delegates the IP for the first name to the IP of the second name.
NAME#1 goes to IP#2.
But it is still looking for NAME#1 [at the NAME#2 location].

In a more understandable situation:
I need to speak securely with John...
Knock on John's door and ask for John - Sorry, he's at Bob's house.
Knock on Bob's door and ask for who?
I still ask for John [not Bob].
Whomever answers must present an ID as John or I will not speak with him securely.


Hi @Bruce5051
the certificates issued are for the main domain: crt | weeby

Hi @rg305
well done, thank you for clarification

I did obtain a new cert with:
sudo certbot --apache -d

certbot telling me:

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)

if I choose install, certbot can not find the virtual host and it will try to install it on top of the main wildcard that I have as a main domain, (which is

I think I'm missing some steps, any idea?
thank you

1 Like

It sounds like you don't have Apache configured properly. Can you show output of this:

sudo apachectl -t -D DUMP_VHOSTS

might need to use apachectl2


Hi @MikeMcQ

sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443         (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80          (/etc/apache2/sites-enabled/000-default.conf:1)

please note, weeby is a saas application that provide services for users with a subdomain of their choice , since some users ask for custom domain , we need create a CNAME , then ask those users to create a A record, in our case: is willing to have his custom domain

Thanks for that.

In short, the cert in your *:443 VirtualHost must have the name in the cert to avoid browser errors.

Or, create a new VirtualHost *:443 for newnfashion and have its own cert in that.

As for DNS, each of the 3 domain names you state just have an A record to the same IP. I don't see any CNAME so not sure what that it used for.

So, I assume you use the HOST header or similar to change the content for the different requesting domains (w/proxy or maybe DocumentRoot)

Is that right? Because with only one VirtualHost all the requests to that IP are processed in that one VHost.

There are many ways to configure such a system. Sorry if I misunderstand but that's how I see it based on the info given.


Thanks @MikeMcQ :slightly_smiling_face: :ok_hand: :+1: :pray:

the way I solved is to create a new vhost and include the obtained cert, however as the number of the vhost it is going to increase (by hundreds), do you recommend any automation methods to update so we can maintain and avoid any browsers warning?

thank you again


Designing architecture for (hoped for) large commercial sites is beyond the scope of this forum. Or, at least beyond the scope of what I wish to help with.

I thought this was a rare exception to a well-established system. If it is just the first of many such customers I think you have much to consider.

You should review the topic below. Perhaps others will comment about using Apache for large integrations or offer other ideas. Best wishes.


I confused weeby with weebly - LOL


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.