Help with process for expired domain

My domain is: taichipark-masterjoutsunghwa.org
The files for taichipark-masterjoutsunghwa.org are on an addon domain, actually located at hplconsortium.com/taichipark

I ran this command: using instructions from video:


and I am stuck on verification step. After I put the generated files into the .well-known/acme-challenge folder, instead of getting the text back that I should get, I get the actual html of the website.

It produced this output: The verification It shows the html of the website, not the expected text

My web server is (include version): godaddy apache v 2.4.39

The operating system my web server runs on is (include version): linux

My hosting provider, if applicable, is:godaddy

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, cpanel 70.0 (build 51)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I’m not sure. I couldn’t figure out the certbot directions, so I followed the video above which is using a site called zerosll. I’m not sure whether these are the same or different.

Two reasons are most likely:

a) Either the verification files are put in the wrong place
or
b) Your server is not configured to serve the files with no extensions

To understand which is it, put test.txt file with some text into the same directory where you put the verification files, see if you can access that. If you can, it’s likely (b), in which case create a file without extension in the name and try accessing that. If you could not access test.txt, then it’s likely (a).

In any case, the web server logs might actually help you to figure what’s happening.

Hi @cjrhoads

looks that your configuration can’t work.

Your ip addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
taichipark-masterjoutsunghwa.org A 184.168.131.241 yes 2 0
AAAA yes
www.taichipark-masterjoutsunghwa.org C taichipark-masterjoutsunghwa.org yes 1 0
A 184.168.131.241 yes

The answers of your server:

Domainname Http-Status redirect Sec. G
http://taichipark-masterjoutsunghwa.org/
184.168.131.241 200 0.387 H
http://www.taichipark-masterjoutsunghwa.org/
184.168.131.241 200 0.360 H
https://taichipark-masterjoutsunghwa.org/
184.168.131.241 200 1.940 N
Certificate error: RemoteCertificateNameMismatch
https://www.taichipark-masterjoutsunghwa.org/
184.168.131.241 200 1.583 N
Certificate error: RemoteCertificateNameMismatch
http://taichipark-masterjoutsunghwa.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
184.168.131.241 200 0.373
Visible Content: <!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01//EN” “http://www.w3.org/TR/html4/strict.dtd”> TAICHIPARK-MASTERJOUTSUNGHWA.ORG
http://www.taichipark-masterjoutsunghwa.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
184.168.131.241 200 0.357
Visible Content: <!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01//EN” “http://www.w3.org/TR/html4/strict.dtd”> TAICHIPARK-MASTERJOUTSUNGHWA.ORG

Checking a not existing file in /.well-known/acme-challenge, a http status 404 - not found is expected, not 200.

And the solution:

Domainname Html-Element name/equiv/ property/rel href/src/content HttpStatus msg Status
https://taichipark-masterjoutsunghwa.org/
184.168.131.241 frame / src http://taichipark.com 1 mixed

That’s a frame redirect, that can’t work.

If you want to create a certificate via http-01 validation, you need access to the webspace with the ip 184.168.131.241.

Looks like this is an automated created redirect, so you can’t create files there.

You can use dns-01 validation to create a certificate. But if you want to install the certificate, you must do it on 184.168.131.241.

Result: Such frame-redirects are incompatible with individual ssl certificates.

1 Like

Thanks for your help. If I understand you correctly, this won’t work because it is a forward (i.e. redirect). You are saying that I must “do it” on 184.168.131.241. The problem is that I don’t know where 184.168.131.241 is coming from or how to get rid of it. My IP address, the one where the website is actually located, is 23.229.140.154. The forwarding domain was transferred in from another account, and it looks like it brought with it a bunch of stuff that used to be true. There is a place in godaddy where it says I can uninstall the expired certificate, but then it warns:
Are you sure that you want to delete the SSL host “taichipark-masterjoutsunghwa.org”? This operation cannot be undone! and that scares me that it will delete the whole website, not just the certificate.

Should I delete the certificate?
Should I enter all the forwarding domains in the domain box of the zerossl.com form? That would be
taichipark.hplconsortium.com
taichipark.com
www.taichipark.com
taichipark-masterjoutsunghwa.org
www.taichipark-masterjoutsunghwa.org
taichipark-masterjoutsunghwa.com
www.taichipark-masterjoutsunghwa.com

Or do I create a different certificate for each one? Or do I only create the certificate on the one and all the rest will automatically be secure? I already have installed (and it appears to be working) the certificate on hplconsortium.com, I just can’t get the certificates to work on the subdomains/addon domains.

Also - does the .well-known/acme-challenge folder go into hplconsortium.com/web/taichipark/
which is the actual location of the files? Or does it go into hplconsortium.com along with the files that I generated from that domain?

Any help you can give me would be most appreciated. I’m out of my element here, and Godaddy has been no help at all. They just want to sell me an expensive SSL service.

Then use that in your dns settings of that domain:

A record ->> 23.229.140.154

1 Like

Again, thanks. I discovered that I had never put in the taichipark.com as an addon domain, so it was forwarding to the 184 IP address. I’ve now fixed that part. taichipark.com is now set to 23.229.140.154.

So, the next part of my question; what do I enter into the box on zerossl in order to get the ssl certificate for the appropriate domain. Is there another way to do this rather than use zerossl? And is zerossl just a different program that does the same thing as the certbot? I am a bit confused.

Also, I just went through the entire process including copying the certificate and key into the appropriate place in my godaddy control panel for another domain, pagodawriters.com. And yet it still says insecure. Is there a time delay for propagation, or should the change be immediate. In which case, what did I do wrong?

Yep, this works ( https://check-your-website.server-daten.de/?q=taichipark.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
taichipark.com A 23.229.140.154 yes 2 0
AAAA yes
www.taichipark.com C taichipark.com yes 1 0
A 23.229.140.154 yes

But your other domain has the 184.* address ( https://check-your-website.server-daten.de/?q=taichipark-masterjoutsunghwa.org ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
taichipark-masterjoutsunghwa.org A 184.168.131.241 yes 2 0
AAAA yes
www.taichipark-masterjoutsunghwa.org C taichipark-masterjoutsunghwa.org yes 1 0
A 184.168.131.241 yes

Yes, it’s something like a website-based client. So you have to create every 60 - 85 days a new certificate. If you have your own webspace (with enough rights), use certbot or another local client.

1 Like

Thanks again. You are terrific.
I thought the second domain would fix automatically when I fixed the first domain, but now I know what I must do. I would love to use certbot (and I do have enough rights) but not enough knowledge quite yet. I do not understand the directions, and until I’ve played around enough to understand, I am limited to what the video I found tells me to do. Is there a similar video for using certbot? It probably doesn’t matter, though. I’ll be changing to a hoster that is on your list within the next 30 days, so I will be able to use the cpanel to set it up in the future. Godaddy is not one of the hosters who is working with Let’s Encrypt. (I thought that by buying the Godaddy SSL certificates I would avoid spending the time necessary to learn all this stuff, but they are WAAAYYY too expensive. Plus their technical support has taken a nosedive over the past year and I can’t get an honest complete answer from them, so I’ll be switching to another hoster shortly. I just needed to get this done in the meantime.)

I also figured out why the Pagodawriters.com website didn’t work initially. There were still some http:// references in the code. I’ve changed them all now so that if someone types in https://pagodawriters/com it shows as secure. I tried to modify the .htaccess file to do a redirect as it explains on the web, but I always get server not found when I do that. I suspect it is because pagodawriters.com is an addon domain, and I don’t know how to modify the redirect code so that it will redirect to the appropriate place. This will work for me until I’ve learned more.

In any case, thank you for your help. I’ll be back if I can’t figure out the next part.

CJ

I hate to bother you again, but I’m still working on this. I finally got the SSL to work completely on the taichipark.com domain. But I’m still having trouble with the other one. I’m going to try again and create an addon domain so that the ssl certificate works for both www.taichipark-masterjoutsunghwa.org, taichipark-masterjoutsunghwa.org AND taichipark.com AND www.taichipark.com AND taichipark-masterjoutsunghwa.com AND www.taichipark-masterjoutsunghwa.com

Can I do this in steps - adding one domain at a time, testing it, and then going through the process for a second or third, etc.? Will that cause a problem to go through the process multiple times on the same site?

No need to answer. I did some testing in the meantime and it appears there is no problem with doing this step by step. Thanks.
CJ Rhoads

That domain is ok. But there are no redirects http -> https ( https://check-your-website.server-daten.de/?q=pagodawriters.com )

Domainname Http-Status redirect Sec. G
http://pagodawriters.com/
23.229.140.154 200 0.504 H
http://www.pagodawriters.com/
23.229.140.154 200 0.507 H
https://pagodawriters.com/
23.229.140.154 200 2.653 I
https://www.pagodawriters.com/
23.229.140.154 200 2.307 I

If a users uses the http version, it isn’t secure.

There are some rate limits. Check

If you have different vHosts (one with non-www and www per domain), it’s the easiest if you create one certificate per domain (with two domain names).

1 Like

Hi. The university semester is now over so I can turn my attention back to trying to get SSL on all my addon domains which I started last month. Before I begin, I need to verify something. I’ve read in a different site that it is not possible to install multiple SSL certificates for the same IP address. Since ALL my addon domains resolve to the same IP address, it won’t do me any good to go through and get rid of all references to http in the code if it’s not going to work anyway because there is only 1 IP address.
So is there any barrier to me going in and creating a different ssl certificate for taijiquanenthusiasts.org, pagodawriters.com, opfl.org, syihtq.org, etc (there are 12 of them) just because they all resolve to one IP address and are directed to the addon domain hplconsortium.com/web/addondomainname

Also, since I have so many, would it make sense for me to learn how to install certbot or some other program that will automatically do the renewal? Would I use that for the initial installation too, or just the renewal? It is even possible for me to use certbot? I host on Godaddy and do have SSH access (though I’m not entirely sure how to use it. I am familiar with command line interfaces and have a smattering of linux command knowledge.)

Any help provided would be greatly appreciated.
Thanks
CJ Rhoads

It is possible to use multiple SSL certificates with one ip address. Server Name Indication (SNI)

allows that.

Earlier, it was impossible, Windows 2008 (and XP) doesn’t support SNI, so only one certificate was possible. But (sample) Windows 2012 supports SNI, same other OS versions and browsers.

And you can ignore clients without SNI support. Use https://www.ssllabs.com/ssltest/ to test your domain, then you see if a client supports SNI.

If you use cPanel with a Letsencrypt Addin, you shouldn’t mix cPanel with an own client.

1 Like

Thanks for the quick response. Unfortunately, I have to ask for clarification (please excuse my being a newbie to SSL). I purchased, and installed, a certificate through Godaddy. When I discovered what they wanted to charge for all 12 certificates for my twelve different addon domains, I investigated how to do it myself without paying them. Right now it appears to work for one addon domain, the one you helped me with last month (https://taichipark-masterjoutsunghwa.org/). I didn’t get it to work on pagodawriters yet, nor syihtq, but that’s what I’m working on now.

I give this background because I’m not sure I understand your statement that I shouldn’t mix cPanel with an own client. Are you telling me I shouldn’t be creating my own certificates, that my only choice is to pay Godaddy for each one? Or are you telling me that if I’m using ZeroSSL then I shouldn’t also use certbot? Again, please forgive my ignorance on the terminology. I’m not sure what a Letsencrypt Addin is. Godaddy is not a cooperating host with letsencrypt, so I have to go through and copy in the certificate and the key in order to install the SSL myself.

If you have root access, you should be able to do what you want. So the position of Godaddy

isn’t relevant.

But cPanel has it’s own domain management. So it conflicts if Certbot changes the vHost configuration.

There are cPanel Letsencrypt Addins. But your hoster must install / support these. And cPanel has global options to upload and install certificates. But if you can’t automate that, you have to do that every 60 - 85 days. With 12 domains - puh.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.