How come only part of my site is secure?

I once again ask you genius letsencrypt people a question that confuses me. How come only part of my website is secure?

I got a message a few days ago saying to renew my encryption, and that it would expire soon if not. I did so on mathtutortime.com as well as www.mathtutortime.com. My site is encrypted. However, I noticed that a part of my site is not.

If I go to mathtutortime.com/account/get_tutoring/done_correct, the site is magically not encrypted. Even though it's the same domain. Thanks for any thoughts.

Hi @rickster26ter,

Looking at

you had a single certificate issued on September 13 that covers both mathtutortime.com and www.mathtutortime.com. The renewal message that you got for Let's Encrypt probably related to a certificate that was just for mathtutortime.com (because the renewal messages are sent if you ever have any expiring certificate for which a 1-1 name match replacement wasn't issued! there's a note in the renewal e-mail itself explaining this).

Yesterday you issued separate certificates just for www.mathtutortime.com and mathtutortime.com (two of each). Currently, your site is only using the new www.mathtutortime.com certificate, even when accessed as mathtutortime.com—hence the error.

You should issue a single new certificate for both names (following the September 13 certificate example) and use that, and then ignore future warnings about the expiry of certificates that you no longer use. Alternatively, you can use the new separate certificates you have, if you update the virtual host configuration on your server to properly refer to both of them.

You are totally right. I saw evidence of what you are saying. However, when I looked at my server information, it was defaulting to the www. domain even if it wasn't typed. I then refreshed my history, and now it is working as expected...huh. Well, it works now. Thank you so much!

Hmmm, I don't think your site as a whole is working the way you want yet: the example you gave, https://mathtutortime.com/account/get_tutoring/done_correct, still returns a certificate error.

Darn, you're right. It was just cookies or history messing with me, I only removed history for an hour. I still see it, yea. Looks like I'll have to take a look at why my server doesn't like this directory. If I go to other directories without the www., it defaults to have the www. But not this directory. Thank you.

I think you're talking about server redirects, where the server asks the browser to switch to an alternative URL for a page. But if so, that isn't sufficient to fix this problem because the redirect itself won't be accepted by the browser unless it's delivered inside a connection with a valid certificate.

ok, I see. Can you refer me where I can find the september 13 example you are talking about? If I type certbot certificates I have 2 mathtutortime.com certificates for some reason, and 1 www.mathtutortime.com certificate, all active. I would like to have 1 certificate for both names.

Sorry, there's even a November 13 example that would work

Did you request that certificate by hand yourself? If not, you may have had an automation process that was working properly until you replaced the certificates this way.

Thanks man. I actually just needed your info on how to certify both sites on the same certificate, but I found your response in another thread that helped me do just that. Work now, thanks again!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.