How to add a third Subject Alt Name to my cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: computerserviceswinona.com

I ran this command:

It produced this output:

My web server is (include version): apache 2.4.25

The operating system my web server runs on is (include version): debian 4.9.144-3.1

My hosting provider, if applicable, is: Google Cloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0

I currently have two sub alt names: computerserviceswinona.com and www.computerserviceswinona.com.
How can I add a third: fvtt.computerserviceswinona.com?
Also, I have all three of the above names as CNAMES in DNS.

1 Like

Hi @bsoranno and Welcome to the community!
Do you have a vhost configured for http://fvtt.computerserviceswinona.com/ or is the subdomain possibly configured as an alias in your running config??
Please share the output of:

apache2ctl -t -D DUMP_VHOSTS

also I notice you should upgrade your version of certbot
Thanks

6 Likes

Here are the vhosts info:
VirtualHost configuration:
*:80 lamp-1-vm.us-central1-f.c.river-data-228002.internal (/etc/apache2/sites-enabled/csw-ssl.conf:2)
*:443 computerserviceswinona.com (/etc/apache2/sites-enabled/lamp-server.conf:1)
*:30000 fvtt.computerserviceswinona.com (/etc/apache2/sites-enabled/lamp-server.conf:31)

Also, what command do I use to upgrade certbot? apt-get?

Normally, I'd say: Just do what you did before to get the previous cert (again - one more time).
But seeing:

It's difficult to be sure about what you did previously and thus impossible to know for sure if that will work again going forward.
As there is no HTTP vhost config that covers any of the three FQDNs mentioned, I can only assume you may have used --webroot authentication OR you have since manually modified/deleted some of the vhost config file(s).

So...
If FVTT is NOT going to serve the exact same content as the other two, then you must make a separate HTTP vhost config to handle it.
Once you have that config in place, you can then use certbot to obtain a cert for it and have it make the HTTPS vhost config for you (if you don't want to do it yourself).

6 Likes

here is the virtual host file that has the config for all three:

<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName [computerserviceswinona.com](http://computerserviceswinona.com)
ServerAlias [www.computerserviceswinona.com](http://www.computerserviceswinona.com)

DocumentRoot /srv/wordpress
<Directory /srv/wordpress>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>

Alias /crm /srv/suitecrm
<Directory /srv/suitecrm>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/[computerserviceswinona.com/fullchain.pem](http://computerserviceswinona.com/fullchain.pem)
SSLCertificateKeyFile /etc/letsencrypt/live/[computerserviceswinona.com/privkey.pem](http://computerserviceswinona.com/privkey.pem)
</VirtualHost>

<VirtualHost *:30000>
ServerAdmin webmaster@localhost
ServerName [fvtt.computerserviceswinona.com](http://fvtt.computerserviceswinona.com)
# ServerAlias [www.computerserviceswinona.com](http://www.computerserviceswinona.com)

ProxyPass "/" "[http://127.0.0.1:30000/](http://127.0.0.1:30000/)"
ProxyPassReverse "/" "[http://127.0.0.1:30000/](http://127.0.0.1:30000/)"

ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined

# Include /etc/letsencrypt/options-ssl-apache.conf
# SSLCertificateFile /etc/letsencrypt/live/[computerserviceswinona.com/fullchain.pem](http://computerserviceswinona.com/fullchain.pem)
# SSLCertificateKeyFile /etc/letsencrypt/live/[computerserviceswinona.com/privkey.pem](http://computerserviceswinona.com/privkey.pem)
</VirtualHost>

fvtt servers different content than the other two. the code base for it listens to port 30000.

Certbot via SNAPD

3 Likes

Your vhost config shown is NOT for HTTP (port 80).
ACME requires port 80 for HTTP authentication.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.