Help with mapped domain with valid SSL

My domain is:
newnfashion.com

It produced this output:
this connection is not a private

My web server is:
Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is:
Ubuntu 18.04.5 LTS

I can login to a root shell on my machine:
yes

The version of my client is
certbot 1.31.0

I'm mapping this domain newnfashion.com to this ip server XX.XXX.XX which has a valid wildcard SSL issued by LetsEncrypt for the main domain weeby.store and the subdomain newn.weeby.store

my question: is it possible to serve the mapped domain: newnfashion.com with that Wildcard SSL? how can I achieve?

thank you

Hello @Mtrf3, welcome to the Let's Encrypt community. :slightly_smiling_face:

I believe you will need to use the DNS-01 ACME v2 Challenge Types - Let's Encrypt

Here is a list of issued certificates for crt.sh | newnfashion.com, the most recent being 2022-10-03.
I do not see any certificates issued by Let’s Encrypt.

1 Like

No.
Redirections don't change the request name.
The cert must contain the name requested.
newnfashion.com <> weeby.store [FAIL]
newnfashion.com <> newn.weeby.store [FAIL]

4 Likes

So @rg305 if I understand correctly they will need a New Wildcard Certificate with the domain names of the present Wildcard Certificate and added to that the additional domain name newnfashion.com, for a New Wildcard Certificate.

1 Like

SNI allows for one IP to serve many names.
[those names don't all have to be in a single cert]
Weebly would have to obtain a cert that covers the new name being sent to them:
newnfashion.com

4 Likes

Hadn't known that they were a web hosting company, I assumed that @Mtrf3 also had those domain names too. My bad. :slightly_frowning_face:

2 Likes

@rg305 we are already using DNS challenge with:

certbot certonly --cert-name weeby.store --manual --preferred-challenges dns -d "weeby.store,*.weeby.store" --deploy-hook "apachectl -k graceful"

We are hosting one website under the subdomain name: newn.weeby.store that matches our wildcard SSL.

now we have created a CNAME , and the custom domain has created an A record for newnfashion.com and point it to our server xx.xxx.xx.xxx

please correct if i'm wrong, we need to obtain a new SSL cert for the new domain name newnfashion.com?

Yes.
The cert presented must match the requested name.
CNAMEs only redirect one DNS name to another.
DNS only resolves names to IPs.
So, using a CNAME just delegates the IP for the first name to the IP of the second name.
NAME#1 goes to IP#2.
But it is still looking for NAME#1 [at the NAME#2 location].

In a more understandable situation:
I need to speak securely with John...
Knock on John's door and ask for John - Sorry, he's at Bob's house.
Knock on Bob's door and ask for who?
I still ask for John [not Bob].
Whomever answers must present an ID as John or I will not speak with him securely.

4 Likes

Hi @Bruce5051
the certificates issued are for the main domain: weeby.store crt | weeby

Hi @rg305
well done, thank you for clarification

I did obtain a new cert with:
sudo certbot --apache -d newnfashion.com

certbot telling me:

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/newnfashion.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)

if I choose install, certbot can not find the virtual host and it will try to install it on top of the main wildcard that I have as a main domain, (which is weeby.store)

I think I'm missing some steps, any idea?
thank you

1 Like

It sounds like you don't have Apache configured properly. Can you show output of this:

sudo apachectl -t -D DUMP_VHOSTS

might need to use apachectl2

3 Likes

Hi @MikeMcQ

sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  weeby.store (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   weeby.store (/etc/apache2/sites-enabled/000-default.conf:1)

please note, weeby is a saas application that provide services for users with a subdomain of their choice , since some users ask for custom domain , we need create a CNAME , then ask those users to create a A record, in our case: newn.weeby.store is willing to have his custom domain newnfashion.com

Thanks for that.

In short, the cert in your *:443 VirtualHost must have the name newnfashion.com in the cert to avoid browser errors.

Or, create a new VirtualHost *:443 for newnfashion and have its own cert in that.

As for DNS, each of the 3 domain names you state just have an A record to the same IP. I don't see any CNAME so not sure what that it used for.

So, I assume you use the HOST header or similar to change the content for the different requesting domains (w/proxy or maybe DocumentRoot)

Is that right? Because with only one VirtualHost all the requests to that IP are processed in that one VHost.

There are many ways to configure such a system. Sorry if I misunderstand but that's how I see it based on the info given.

4 Likes

Thanks @MikeMcQ :slightly_smiling_face: :ok_hand: :+1: :pray:

the way I solved is to create a new vhost and include the obtained cert, however as the number of the vhost it is going to increase (by hundreds), do you recommend any automation methods to update so we can maintain and avoid any browsers warning?

thank you again

2 Likes

Designing architecture for (hoped for) large commercial sites is beyond the scope of this forum. Or, at least beyond the scope of what I wish to help with.

I thought this was a rare exception to a well-established system. If it is just the first of many such customers I think you have much to consider.

You should review the topic below. Perhaps others will comment about using Apache for large integrations or offer other ideas. Best wishes.

4 Likes

I confused weeby with weebly - LOL

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.