Https://mydomain.org works but https://www.mydomain.org doesn't

My domain is:
commudaire.org
I ran this command:
certbot certonly --agree-tos -n -m $email --webroot -w /opt/web/mybase/webapps/commudaire.org -d commudaire.org
It produced this output:

My web server is (include version):
Jetty 11
The operating system my web server runs on is (include version):
Debian Buster
My hosting provider, if applicable, is:
Gandi
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.17.0

Hello

https://commudaire.org works as expected but https://www.commudaire.org doesn't work, I get the error SEC_ERROR_REVOKED_CERTIFICATE. I set a redirect rule in my DNS zone but it doesn't help. Do I need to create a certificate supporting both https://commudaire.org and https://www.commudaire.org to make it work? If so, can I use the same web root for https://commudaire.org and https://www.commudaire.org?
certbot certonly --agree-tos -n -m $email --webroot -w /opt/web/mybase/webapps/commudaire.org -d commudaire.org -w /opt/web/mybase/webapps/commudaire.org -d www.commudaire.org

2 Likes

The two sites are being hosted at two different IPs (using two different certs):

Name:    commudaire.org
Address: 80.13.94.99

Name:    webredir.gandi.net
Address: 217.70.184.56
Aliases: www.commudaire.org
4 Likes

https://www.commudaire.org uses a web redirection to https://commudaire.org in the DNS zone, that's why you see webredir.gandi.net. I wanted to simplify my deployment by having a single SSL certificate for https://commudaire.org, am I on the wrong way? Do I need two certificates, i.e one for the www subdomain and another one for the domain without subdomain?

2 Likes

No, continue.

As long as they are being hosted in separate systems, yes.

The problem is that the "www" site now has a certificate that has been revoked:
SSL Server Test: www.commudaire.org (Powered by Qualys SSL Labs)

3 Likes

What you did for your www.commudaire.org was to make it an alias of Gandi's hosting redirect without indicating your domain name in that path. Gandi is your registrar/hosting provider. You cannot create a cert for them. :slight_smile:
Create a new certificate containing both commudaire.org and www.commudaire.org and use certbot to delete the original cert, or amend your existing cert by adding the www version of your domain. Use 80.13.94.99 as the IP for those.

Last Result: https://check-your-website.server-daten.de/?q=commudaire.org - 2021-07-29 07:38:26
Permalink: https://check-your-website.server-daten.de/?i=ad461d98-19da-4810-a74f-1b5c41e96545

4 Likes

Should I remove the web redirection at least for https in this case?

Is it the right way to create a single SSL certificate including the www version of my domain?
certbot certonly --agree-tos -n -m $email --webroot -w /opt/web/mybase/webapps/commudaire.org -d commudaire.org -w /opt/web/mybase/webapps/commudaire.org -d www.commudaire.org
I'd like to avoid using a wildcard certificate because it seems to be over-complicated for a single subdomain and it would drive my script not registrar agnostic (i.e the DNS plugins for Certbot are specific to the registrars).

2 Likes

It was (probably?) automatically created by the Gandi system, I could only revoke it in its control panel. I'll ask Gandi to delete it.

2 Likes

I've just found this good example in the documentation:
certbot certonly --webroot -w /var/www/example -d www.example.com -d example.com

It seems to do what I really want, a single web root, a single SSL certificate for the domain alone and the domain with the www subdomain. I'll give it a try as soon as possible.

2 Likes

You would also need to update the DNS records to point only to your new IP.

3 Likes

Do you mean that I have to add an A record for www pointing to my static public IP address?

I plan to remove the CNAME record pointing to webredir.gandi.net and the web redirection as suggested by an employee of Gandi's customer service. I'll manage the redirection and rewriting rules carefully on my own.

2 Likes

I don't know what you have, so I can't say with any certainty.
But I know what I do see - two names returning two different IPs.
HTTP validation will go to the IP resolved.
(without correct redirection) That means you won't be able to validate both IPs from any one single IP.
And I think that is where this fails - the redirection is incompatible with the expected.
http://www.commudaire.org/ redirects to https://commudaire.org/.
Where http://commudaire.org/ is expected.

3 Likes

My zone file looks like this:

@ 86400 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1627509973 10800 3600 604800 10800
@ 10800 IN A 80.13.94.99
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
_imap._tcp 10800 IN SRV 0 0 0   .
_imaps._tcp 10800 IN SRV 0 1 993 mail.gandi.net.
_pop3._tcp 10800 IN SRV 0 0 0   .
_pop3s._tcp 10800 IN SRV 10 1 995 mail.gandi.net.
_submission._tcp 10800 IN SRV 0 1 465 mail.gandi.net.
gm1._domainkey 10800 IN CNAME gm1.gandimail.net.
gm2._domainkey 10800 IN CNAME gm2.gandimail.net.
gm3._domainkey 10800 IN CNAME gm3.gandimail.net.
webmail 10800 IN CNAME webmail.gandi.net.
www 10800 IN CNAME webredir.gandi.net.

I've just removed the line causing a redirection to the parking page (the last one) and I've added an A record for www. Now, I get an error SSL_ERROR_BAD_CERT_DOMAIN. I need to add www into the single SSL certificate.

1 Like

How can I programmaticly get this information? It would help me to indicate the user of my script that there's a parking page on her/his way.

1 Like

Using any DNS tool.
Like:
dig
or
nslookup

3 Likes

I succeeded in revoking the certificate. Then, I tried to ask for a new one but including www, it failed the very first time because I forgot to modify the virtual host for www, I retried to ask for a new certificate but it failed again with the error message "live directory exists for commudaire.org", I deleted /etc/letsencrypt/live/commudaire.org and it helped me to get a new certificate but now, the files are stored into subdirectories named "commudaire.org-0001" instead of "commudaire.org" which breaks my script. How can I get back to the previous behaviour without reinstalling everything from scratch?

This is my change in my script, which works as expected:
https://sourceforge.net/p/red-feed-aggregator/code/ci/71ba210fb4554519790c5af872024cc1a32f658f/tree/minimal_self_hosting_setup.sh?diff=24d0a50486be2367e136b3f65fa85613d9cc9425

This is the whole script:
https://sourceforge.net/p/red-feed-aggregator/code/ci/master/tree/minimal_self_hosting_setup.sh

I'd prefer avoiding to have to "guess" the subdirectory names. There are some options to force which subdirectories to use but might it break certbot in my case? I expected it would use commudaire.org instead of commudaire.org-0001.

1 Like

Why revoke?
Revoking wastes LE resources and should only be used when there has been a compromised private key.
You should probably have used: certbot delete

Manually?
Please don't delete files or folder within the /etc/letsencrypt/ path.
There are plenty of commands to instruct certbot` to do whatever you need.

Again, you should NOT have tried to "fix" this manually.

You would need to certbot delete any certificates that you don't need.
Then recreate a new cert with both domain names on it and pass it the --cert-name commudaire.org to put the new cert in the path you need.

4 Likes

Yes I deleted it manually, I did a mistake. When I revoked the certificate with certbot revoke, it asked me whether I wanted to delete it too, I answered yes but when I asked for a new certificate, I got the error message about "live".

Ok, I'm going to use certbot delete right now and then I'll force the certificate name. Thank you so much for your valuable help.

2 Likes

Before getting the new cert.
And after deleting those you don't need.
Check the output of:
certbot certificates

and make sure the cert-name you want to use isn't still being used.
If so, then you should also delete that one too.

4 Likes

Yes, I asked certbot to delete the old certificate named "commudaire.org" too, it deleted both "commudaire.org" and "commudaire.org-0001" despite displaying the error message "An unexpected error occurred:
TypeError: remove: path should be string, bytes or os.PathLike, not NoneType"

It works like a charm now, thank you.

To sum up a bit, I had to get rid of the web redirection because I can't obviously generate a certificate for my registrar, I had to get rid of the parking page of my registrar but without using its web redirection by removing its CNAME record in my DNS zone file, I had to add my own A record for the subdomain named "www" to replace its parking page, I had to delete my certificate covering only my domain name but not including "www" and finally, I had to modify my virtual host for "www" and I asked for a new certificate including my domain name with and without www.

By the way, your suggestions were extremely helpful and drove my script more robust :slight_smile: Thanks again. Let's Encrypt rocks.

3 Likes

If you don't mind, I'd like to do you the favor of making sure there are no boggarts in your configuration:

What are the outputs of:

sudo ls -lRa /etc/letsencrypt
sudo certbot certificates

Please put 3 backticks above and below each output, like this:

```
output
```

3 Likes