How to make one certificate valid for both www.frostjedi.com and frostjedi.com

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: frostjedi.com

I ran this command: idk I ran the command years ago

It produced this output:

My web server is (include version):

Server version: Apache/2.4.41 (Ubuntu)
Server built: 2024-04-10T17:46:26

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal

My hosting provider, if applicable, is: digitalocean.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.27.0

When I visit https://frostjedi.com/zzz I get an invalid certificate error. Looks like the certificate that's being served up is just for www.frostjedi.com and not for frostjedi.com.

When I do certbot certificates I see this:

  Certificate Name: frostjedi.com
    Serial Number: 47a3ae5c08a8ade7c03e46b9867517fe1e6
    Key Type: RSA
    Domains: frostjedi.com
    Expiry Date: 2024-08-05 11:20:45+00:00 (VALID: 49 days)
    Certificate Path: /etc/letsencrypt/live/frostjedi.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/frostjedi.com/privkey.pem
  Certificate Name: www.frostjedi.com
    Serial Number: 37990956dd2765c0a09a0ec0b8bcc8ac78f
    Key Type: RSA
    Domains: www.frostjedi.com
    Expiry Date: 2024-08-05 11:21:06+00:00 (VALID: 49 days)
    Certificate Path: /etc/letsencrypt/live/www.frostjedi.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.frostjedi.com/privkey.pem

So it looks like there are separate certs for frostjedi.com and www.frostjedi.com.

If the path exists the redirect happen. eg. https://frostjedi.com/vex/ it's only for path's that yield error 404' that the redirect doesn't happen.

Here's my sites-enabled/frostjedi.com-le-ssl.conf file:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName frostjedi.com
    ServerAlias www.frostjedi.com
    DocumentRoot /var/www/frostjedi.com

    <Directory /var/www/frostjedi.com>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.frostjedi.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.frostjedi.com/privkey.pem
</VirtualHost>
</IfModule>

Hi @yawnmoth
According to the certbot documentation you can "expand" your certificate to cover both the apex and subdomain like so:
certbot --expand -d frostjedi.com,www.frostjedi.com

Well, by running the command

For both the www and non-www domain.

Looking at the filename and contents of frostjedi.com-le-ssl.conf, you've used the --apache plugin to get (probably) and install (definitely) the certificate into Apache.

You have the two hostnames in the same virtualhost section with a single certificate configured.

Options:

1. re-issue a single certificate for frostjedi.com as well as www.frostjedi.com and configure that certificate in Apache; or
2. re-configure Apache so it has two separate virtualhosts for both the hostnames and configure the existing separate certificates as such.

I'd say option 1 is the better choice.

It doesn't look like you have anything fancy going on, so you might be able to simply get the combined certificate using:

certbot --apache --expand -d frostjedi.com -d www.frostjedi.com

Afterwards, please check your Apache configuration. A good idea to doublecheck your virtualhosts is to run

apachectl -t -D DUMP_VHOSTS

And check there are no doubles.

If Apache is only using your combined certificate, you can delete the left-over certificate with the single hostname by running

certbot delete --cert-name name-of-cert-not-in-use-any-longer

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.