How to setup existing SSL on sub-domain (Which points to another static IP)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

The main problems I faced are
(1) I’ve successfully issued an SSL on the main domain (happytoo.app) by this AWS instruction
(https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress#renew-a-lets-encrypt-certificate-wordpress)

(2) But, the problem is to set up the existing SSL on the subdomain (This subdomain points to the different IP address for the testing purpose)

  • Should I issue an SSL again for this subdomain by following AWS lightsaill instruction as above?
  • Can I use the same SSL on the subdomain? If so, could you please help me to set it up?
  • Alternatively, I’ve tried to set up the subdomain under Google Domain DNS setting like the attached image. Is this the correct way to set SSL up on the subdomain? (I’ve set this up last night, I’m waiting another 24 hours)

Screen Shot 2020-07-24 at 10.33.46 AM|690x317

My domain is:
(1) The main domain is https://happytoo.app
(2) However, I have an issue with test.happytoo.app (Subdomain of above)

I ran this command:

It produced this output:

My web server is (include version): Apache / Ubuntu 16.04

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
Lightsails in AWS

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): not sure about this

I’ve tried to issue new SSL cert on this subdomain by Certbot guideline. However, I also faced an error and failed to issue a new cert. Same issue with this (Error installing cert on Lightsail WordPress instance)

Alternatively, I’m looking for the solution to use the same SSL on this subdomain.

1 Like

You are using AWS Route53 for your nameservers. You can’t use that “Synthetic records” functionality unless you switch back to Google Domains for your nameservers. However, I don’t think you want this anyway.

OK, say you have two different servers:

  • 52.62.189.74
  • 13.54.93.43

Which server do you want to issue the test.happytoo.app certificate on?

1 Like

Hi az,

  1. I didn’t know I used AWS Route53. (I’m very beginner, sorry). Yes, I want to use AWS than Google.

  2. Yes, we have 2 different servers.

  • 13.54.93.43 => This one is the live server for the service (AWS) - https://happytoo.app

  • 52.62.189.74 => This one is the test server (Another instance on AWS) - test.happytoo.app

I need a certificate on 52.62.189.74.

1 Like

In that case, issue a certificate for test.happytoo.app on 52.62.189.74. Treat your two servers and certificates independently from each other.

I assume you have already tried that, and you ran into problems. Is that right?

Are you using Bitnami?

1 Like

Thank you _az,
I agree with you. I also thought that I needed to issue a new cert for the 2nd server.

  1. Yes, I’ve tried to issue it using Certbot instruction, but failed with this (https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache).
  • I tried something different approach because I really want an auto-renewal.
    (With the live server, I manually renewed an SSL every 3 months, which is quite painful)
  1. Yes, I’m sure I am using Bitnami.

Quick question. What is that Google Domain (DNS setting) page for ? Is this not really useful for me to set up SSL?? (just bought the domain via Google. is that maybe it?)

1 Like

Yes, I completely agree. The Lightsail guide is not an acceptable way to use Let’s Encrypt - you shouldn’t use it without automated renewal.

The Bitnami guide is the one I recommend you try follow.

If you run into issues, post what command you ran and what error messages you got.

When you bought your domain via Google Domains, it comes with free DNS hosting, should you choose to use the Google nameservers.

However, you’ve chosen to use AWS Route53 for DNS hosting, so it’s not of any use to you.

1 Like

Thank you so much _az!

  1. Okay. I will try out with Bitnami guide and hopefully will be fine.

  2. If I’m successful with Bitnami guide with the 2nd server, can I re-issue an SSL for the live server as well? (Is that too risky? Should I maintain a manual renewal?!)

  3. Just wondering which option is good then? Using Google Domains or Just stays with AWS Route53? Or no matter what

1 Like

Doesn’t make a huge difference either way. Route53 is more convenient as it integrates more closely with other AWS services (like EC2 and Lightsail), but you won’t necessarily notice.

You could probably do it with care, but I’m honestly not sure what’s involved in changing from one to the other.

2 Likes

Hey _az,

Thanks very much for your help. I’ve installed a SSL certificate by following the Bitnami instruction
(The first option = Use The Bitnami HTTPS Configuration Tool). This is easier than I thought.

Can I quickly ask you for the auto-renewal? Does it mean that it will automatically renew the certificate by a cron job(?) Or Should I manually renew it or Should I set-up auto renewal again? :smiley:

2 Likes

My reading of that is that it has already setup a cronjob for you, and you can view it by running the quoted command.

2 Likes

Yes, this is very helpful.

2 Likes

_az,
Hi az,

It’s been a while. Hope you are going well.
I have an issue with me. I’d like to ask you if you could help me out.

The live domain has a public Key info - RSA 2048 bits Encryption (https://happytoo.app).
However, the test subdomain has a different public key info - EC 384 bits. (test.happytoo.app)

This EC 384 caused the error on Android V7.0 device. (Application can’t get any Data via this url).
So, the only solution is to change a public key from EC 384 bit to RSA 2048.

I’ve tried to follow this instruction and generated it, but it’s still not changed.
(https://www.a2hosting.com/kb/security/ssl/generating-a-private-key-and-csr-from-the-command-line)

Could you please help me how to change a public key on the existing SSL?

1 Like

How did you create that certificate? Using the Bitnami bncert-tool program?

To change the public key type, you should just generate the certificate again, from scratch.

1 Like

Yes, I created a certificate using Bitnami program at that time.

Can I select a key type if I re-do the generating process again from scratch?

1 Like

I’m honestly not sure. I would hope so, because regenerating the certificate is the only way to change the key type.

Might be a question for https://community.bitnami.com/.

1 Like

No worries at all. Thanks very much for your guide/help.

I will try to research more and update you -)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.