How to fix www certificate?

fernandoch · November 26, 2017, 10:52pm

Hello,

I am getting this error

www.example.com uses an invalid security certificate.
The certificate is only valid for example.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN

Do I have to issue certificates with and without the www?

Even for subdomains too?

Thanks

razclud · November 26, 2017, 11:30pm

You need to specify both www and non-www and every subdomain you want it installed on. Make sure you specify which version of the www or no www you want first, as I tried to renew one and mistakenly i used -d domain.com twice, instead of one www and one non-www and while using www as primary on your website, 301 redirecting won’t work anymore, for some reason. It gives me and Error code: SSL_ERROR_BAD_CERT_DOMAIN. tried uninstalling it and installing it again and it only works if i don’t use a 301 redirect in my htaccess…strangely

fernandoch · November 27, 2017, 8:54am

In chrome I get the redirect to the domain without www but not in firefox, so I get the error.

Very strange.

MitchellK · November 27, 2017, 9:36am

Have you cleared your cache in Firefox?

fernandoch · November 27, 2017, 10:01am

Yes.

And clearing the cache won’t do a redirect I think.

bytecamp · November 27, 2017, 10:18am

If you’d share the affected domain name instead of “example.com”, we could identify the problem.

fernandoch · November 27, 2017, 10:39am

lodomus.com is the domain. It works on chrome, but not on firefox if I use wwww.lodomus.com

Maybe I need to touch the rewrite rules in apache.

bytecamp · November 27, 2017, 10:50am

No, this is nothing about rewrite rules.
The certificate has only been issued for lodomus.com and does not include www.lodomus.com.
You have to create a certificate for both domain names.

https://crt.sh/?id=261024413

fernandoch · November 27, 2017, 11:21am

OK.

I created a new certificate for the www domain too and now I think I lost the previous certificate.

I just executed this

certbot --apache -d www.lodomus.com

What to do?

fernandoch · November 27, 2017, 11:41am

I still have them both in /etc/letsencrypt/live/

How to enable both? The www and the without www

bytecamp · November 27, 2017, 12:00pm

You should include both domains in one certificate.
E.g: certbot --apache -d lodomus.com,www.lodomus.com

To work around confusion, I would delete the previously created certificates for lodomus.com and www.lodomus.com with the help of the commands certbot certificates (to show which names correspond to which certificate) and then certbot delete --cert-name <name>

fernandoch · November 27, 2017, 12:04pm

I did what you said and now I have this error

root@ns377095:/etc/apache2/sites-available# certbot --apache -d lodomus.com,www.lodomus.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/www.lodomus.com/fullchain.pem’ does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(“Error while running apache2ctl configtest.\nAction ‘configtest’ failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf:\nSSLCertificateFile: file ‘/etc/letsencrypt/live/www.lodomus.com/fullchain.pem’ does not exist or is empty\n”,)
root@ns377095:/etc/apache2/sites-available#

bytecamp · November 27, 2017, 12:07pm

Try to rename the file /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf to /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf-dis and then rerun the command.

fernandoch · November 27, 2017, 12:12pm

Now I get this error

root@ns377095:/etc/apache2/sites-available# certbot --apache -d lodomus.com,www.lodomus.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

apache2: Syntax error on line 219 of /etc/apache2/apache2.conf: Could not open configuration file /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf: No such file or directory

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(“Error while running apache2ctl configtest.\nAction ‘configtest’ failed.\nThe Apache error log may have more information.\n\napache2: Syntax error on line 219 of /etc/apache2/apache2.conf: Could not open configuration file /etc/apache2/sites-enabled/lodomus.com-le-ssl.conf: No such file or directory\n”,)
root@ns377095:/etc/apache2/sites-available#

fernandoch · November 27, 2017, 12:19pm

OK, I fixed it with this

a2dissite lodomus.com-le-ssl

fernandoch · November 27, 2017, 12:19pm

Then I rerun the command you told me and it worked.

Thanks!

fernandoch · November 27, 2017, 12:23pm

So you always have to create the 2 versions of the certificate?

With the www and without them?

bytecamp · November 27, 2017, 12:29pm

You create one certificate which usually contains your domain name with and without leading www. It is also possible to include other domain names and other sub domains, too. You may include up to 100 names into one certificate.

mje · December 3, 2017, 1:59pm

I only have one name per certificate. It works fine for me. This is a live example with real values. I’m using:
dehydrated --cron --challenge dns-01 --domain dnssec.co.za

It doesn’t matter if you try www.dnssec.co.za or just dnssec.co.za. With or without an http or https, everything redirects to the https entry as “https://dnssec.co.za” - which is what the certificate matches.
I’m using apache for over 100+ virtual websites on the one server (all on the same IPv4 and IPv6 address) - so the “virtual hosts” section for this one domain looks like:

<VirtualHost 196.29.61.1:80>
DocumentRoot /home/www/dnssec.co.za/redir
ServerName dnssec.co.za
ServerAlias www.dnssec.co.za
Redirect / https://dnssec.co.za/
</VirtualHost>

<VirtualHost 196.29.61.1:443>
DocumentRoot /home/www/dnssec.co.za/web/
ServerName dnssec.co.za
ServerAlias www.dnssec.co.za
ServerAdmin webmaster@dnssec.co.za
ErrorLog /home/www/dnssec.co.za/logs/vweb-ssl-error_log
TransferLog /home/www/dnssec.co.za/logs/vweb-ssl-access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /home/www/dnssec.co.za/ssl/dnssec.co.za.crt
SSLCertificateKeyFile /home/www/dnssec.co.za/ssl/dnssec.co.za.key
SSLCertificateChainFile /etc/apache2/ssl/letsencryptchain.pem
SetEnvIf User-Agent “.MSIE.” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.
</VirtualHost>

<VirtualHost [2001:43f8:790:61::1]:80>
DocumentRoot /home/www/dnssec.co.za/redir
ServerName dnssec.co.za
ServerAlias www.dnssec.co.za
Redirect / https://dnssec.co.za/
</VirtualHost>

<VirtualHost [2001:43f8:790:61::1]:443>
DocumentRoot /home/www/dnssec.co.za/web/
ServerName dnssec.co.za
ServerAlias www.dnssec.co.za
ServerAdmin webmaster@dnssec.co.za
ErrorLog /home/www/dnssec.co.za/logs/vweb-ssl-error_log
TransferLog /home/www/dnssec.co.za/logs/vweb-ssl-access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /home/www/dnssec.co.za/ssl/dnssec.co.za.crt
SSLCertificateKeyFile /home/www/dnssec.co.za/ssl/dnssec.co.za.key
SSLCertificateChainFile /etc/apache2/ssl/letsencryptchain.pem
SetEnvIf User-Agent “.MSIE.” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>

This is all scripted per domain. I guess the magic lies with the two lines:
ServerName dnssec.co.za
ServerAlias www.dnssec.co.za

jmorahan · December 3, 2017, 2:11pm

That’s not correct, unfortunately. www.dnssec.co.za has an invalid certificate, and if you visit https://www.dnssec.co.za/ you’ll get a certificate error.

Unless, of course, you’re using Chrome, which happens to have some special built-in logic to detect and compensate for this common error.