How to fix www certificate?

Hello,

I am getting this error

www.example.com uses an invalid security certificate.
The certificate is only valid for example.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN

Do I have to issue certificates with and without the www?

Even for subdomains too?

Thanks

You need to specify both www and non-www and every subdomain you want it installed on. Make sure you specify which version of the www or no www you want first, as I tried to renew one and mistakenly i used -d domain.com twice, instead of one www and one non-www and while using www as primary on your website, 301 redirecting won’t work anymore, for some reason. It gives me and Error code: SSL_ERROR_BAD_CERT_DOMAIN. tried uninstalling it and installing it again and it only works if i don’t use a 301 redirect in my htaccess…strangely

In chrome I get the redirect to the domain without www but not in firefox, so I get the error.

Very strange.

1 Like

Have you cleared your cache in Firefox?

Yes.

And clearing the cache won’t do a redirect I think.

If you’d share the affected domain name instead of “example.com”, we could identify the problem.

lodomus.com is the domain. It works on chrome, but not on firefox if I use wwww.lodomus.com

Maybe I need to touch the rewrite rules in apache.

No, this is nothing about rewrite rules.
The certificate has only been issued for lodomus.com and does not include www.lodomus.com.
You have to create a certificate for both domain names.

https://crt.sh/?id=261024413

OK.

I created a new certificate for the www domain too and now I think I lost the previous certificate.

I just executed this

certbot --apache -d www.lodomus.com

What to do?

I still have them both in /etc/letsencrypt/live/

How to enable both? The www and the without www

You should include both domains in one certificate.
E.g: certbot --apache -d lodomus.com,www.lodomus.com

To work around confusion, I would delete the previously created certificates for lodomus.com and www.lodomus.com with the help of the commands certbot certificates (to show which names correspond to which certificate) and then certbot delete --cert-name <name>

I did what you said and now I have this error

root@ns377095:/etc/apache2/sites-available# certbot --apache -d lodomus.com,www.lodomus.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/www.lodomus.com/fullchain.pem’ does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(“Error while running apache2ctl configtest.\nAction ‘configtest’ failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf:\nSSLCertificateFile: file ‘/etc/letsencrypt/live/www.lodomus.com/fullchain.pem’ does not exist or is empty\n”,)
root@ns377095:/etc/apache2/sites-available#

Try to rename the file /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf to /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf-dis and then rerun the command.

Now I get this error

root@ns377095:/etc/apache2/sites-available# certbot --apache -d lodomus.com,www.lodomus.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

apache2: Syntax error on line 219 of /etc/apache2/apache2.conf: Could not open configuration file /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf: No such file or directory

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(“Error while running apache2ctl configtest.\nAction ‘configtest’ failed.\nThe Apache error log may have more information.\n\napache2: Syntax error on line 219 of /etc/apache2/apache2.conf: Could not open configuration file /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf: No such file or directory\n”,)
root@ns377095:/etc/apache2/sites-available#

OK, I fixed it with this

a2dissite lodomus.com-le-ssl

Then I rerun the command you told me and it worked.

Thanks!

So you always have to create the 2 versions of the certificate?

With the www and without them?

You create one certificate which usually contains your domain name with and without leading www. It is also possible to include other domain names and other sub domains, too. You may include up to 100 names into one certificate.

I only have one name per certificate. It works fine for me. This is a live example with real values. I’m using:
dehydrated --cron --challenge dns-01 --domain dnssec.co.za

It doesn’t matter if you try www.dnssec.co.za or just dnssec.co.za. With or without an http or https, everything redirects to the https entry as “https://dnssec.co.za” - which is what the certificate matches.
I’m using apache for over 100+ virtual websites on the one server (all on the same IPv4 and IPv6 address) - so the “virtual hosts” section for this one domain looks like:

<VirtualHost 196.29.61.1:80>
DocumentRoot /home/www/dnssec.co.za/redir
ServerName dnssec.co.za
ServerAlias www.dnssec.co.za
Redirect / https://dnssec.co.za/
</VirtualHost>

<VirtualHost 196.29.61.1:443>
DocumentRoot /home/www/dnssec.co.za/web/
ServerName dnssec.co.za
ServerAlias www.dnssec.co.za
ServerAdmin webmaster@dnssec.co.za
ErrorLog /home/www/dnssec.co.za/logs/vweb-ssl-error_log
TransferLog /home/www/dnssec.co.za/logs/vweb-ssl-access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /home/www/dnssec.co.za/ssl/dnssec.co.za.crt
SSLCertificateKeyFile /home/www/dnssec.co.za/ssl/dnssec.co.za.key
SSLCertificateChainFile /etc/apache2/ssl/letsencryptchain.pem
SetEnvIf User-Agent “.MSIE.” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.
</VirtualHost>

<VirtualHost [2001:43f8:790:61::1]:80>
DocumentRoot /home/www/dnssec.co.za/redir
ServerName dnssec.co.za
ServerAlias www.dnssec.co.za
Redirect / https://dnssec.co.za/
</VirtualHost>

<VirtualHost [2001:43f8:790:61::1]:443>
DocumentRoot /home/www/dnssec.co.za/web/
ServerName dnssec.co.za
ServerAlias www.dnssec.co.za
ServerAdmin webmaster@dnssec.co.za
ErrorLog /home/www/dnssec.co.za/logs/vweb-ssl-error_log
TransferLog /home/www/dnssec.co.za/logs/vweb-ssl-access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /home/www/dnssec.co.za/ssl/dnssec.co.za.crt
SSLCertificateKeyFile /home/www/dnssec.co.za/ssl/dnssec.co.za.key
SSLCertificateChainFile /etc/apache2/ssl/letsencryptchain.pem
SetEnvIf User-Agent “.MSIE.” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>

This is all scripted per domain. I guess the magic lies with the two lines:
ServerName dnssec.co.za
ServerAlias www.dnssec.co.za

That’s not correct, unfortunately. www.dnssec.co.za has an invalid certificate, and if you visit https://www.dnssec.co.za/ you’ll get a certificate error.

Unless, of course, you’re using Chrome, which happens to have some special built-in logic to detect and compensate for this common error.