I added three wild card sub domain to same server IP and try to add the SSL. It worked for few hours but after that it again stopped and giving a connection error. So please help me

OK thanks I will let you know.

Hi I am getting issue again.
pasa.skop.es and cp2.skop.es both sub domains are not working. rcsa.skop.es is working.
I ran command for applying SSL for all these three sub domains.

So now two sub domains SSL are not working. Please check the issue and let me know your reply.

OK, that’s pretty strange!

Could you make a new backup of /etc/apache2 with

sudo tar -czvf /tmp/broken-apache-configuration.tar.gz /etc/apache2

and then send me the apache-configuration.tar.gz and broken-apache-configuration.tar.gz by e-mail using my forum username @eff.org?

1 Like

Hi

How are you. Yes sending you the both tar files. Please refer below URL to download and see the tar files -
http://rtracsystem.com/screens/broken-apache-configuration.tar.gz
http://rtracsystem.com/screens/last-apache-configuration.tar.gz

So please check it and let me know the solution. I am waiting for your reply.

Are you there. Please reply me for the issue

Please reply me I am waiting for it. I shall be very thanksful to you.

I tried to recreate SSL cert for pasa.skop.es
But I got below error now -
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: pasa.skop.es: see https://letsencrypt.org/docs/rate-limits/

I ran below command again -
certbot --apache -d pasa.skop.es
It installed and now SSL working but later on it will have same issue.

Please help me to fix the issue. As I am facing this issue from couple of days. Please help me that how can i fix it

Hi @ervivekmahajan,

I’m in a meeting, but I’ll look at your configuration afterward to see if I can understand what’s happening.

OK thanks I will wait

Also see the error below -
https://www.sslshopper.com/ssl-checker.html#hostname=https://rcsa.skop.es/

I found one more thing that issue is in hostname. I got below error -
Hostname Doesn’t Match in SSL certificate

It’s clear that the problem is a certificate mismatch. The question is what changed on your system to switch what certificate your system was using.

OK thanks for reply. SO please let me know what issue it may be

Did you check both config files means last one and current broken one

Our backup approach has helped to diagnose the problem. There was exactly one change in the Apache configuration, and it’s responsible for the certificate error:

--- last/etc/apache2/sites-available/lite.skop.es-le-ssl.conf	2018-04-06 12:18:20.000000000 -0700
+++ broken/etc/apache2/sites-available/lite.skop.es-le-ssl.conf	2018-04-07 08:03:48.000000000 -0700
@@ -76,8 +76,8 @@
 # RewriteCond %{SERVER_NAME} =lite.skop.es [OR]
 # RewriteCond %{SERVER_NAME} =http://lite.skop.es
 # RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
-SSLCertificateFile /etc/letsencrypt/live/pasa.skop.es/fullchain.pem
-SSLCertificateKeyFile /etc/letsencrypt/live/pasa.skop.es/privkey.pem
+SSLCertificateFile /etc/letsencrypt/live/rcsa.skop.es/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/rcsa.skop.es/privkey.pem
 Include /etc/letsencrypt/options-ssl-apache.conf
 </VirtualHost>
 </IfModule>

If you change this file back, it should work again.

  • Is this the correct virtual host where this certificate ought to be configured?
  • Do you have any idea what software or person might have made this change and why?

Yes it is correct server and no one changed it. Could you please let me know which file you have shown above. As above file name seems to be lite.skop.es-le-ssl.conf and it is different one from pasa.

One thing I want to discuss with you that we added SSL for other two sub domains like lite.skop.es and console.skop.es. For these 2 sub domains, -ssl.conf file is existed means lite.skop.es-le-ssl.conf and console.skop.es-le-ssl.conf.
But for pasa.skop.es, rcsa.skop.es and cp2.skop.es there is not such files. So is this the reason or not.

Schoen asked me to take a look at this.

What I think is going on here is you have a single virtual host in /etc/apache2/sites-available/lite.skop.es-le-ssl.conf that is serving pasa.skop.es and rcsa.skop.es (and maybe cp2.skop.es). This is because you have no other virtual hosts for these domains listening on port 443 and you have ServerAlias *.skop.es in your configuration file.

When you run certbot --apache -d subdomain.skop.es, you are asking Certbot to install a cert containing only the name subdomain.skop.es into the virtual host for that domain. Since this virtual host is shared between at least two domains when you do this, you are removing the existing certificate in the virtual host and replacing it with the one for subdomain.skop.es.

I have a few solutions for you depending on your preferences, but I listed them in order of most to least recommended.

  1. If you are fine having multiple names in a single certificate and you don’t need your server to work for arbitrary subdomains like abc.skop.es, you should include multiple domains on the command line. For example, if the two domains you’re having trouble with are pasa.skop.es and rcsa.skop.es you should run sudo certbot --apache -d pasa.skop.es,rcsa.skop.es`.
  2. If you don’t want multiple names in a single certificate and you don’t need your server to work for arbitrary subdomains like abc.skop.es, you should delete the line ServerAlias *.skop.es from your Apache configuration and run both sudo certbot --apache -d pasa.skop.es and sudo certbot --apache -d rcsa.skop.es again.
  3. If you need your server to work for arbitrary subdomains, you’ll need to obtain a wildcard certificate. It is strongly recommended not do to this unless you need it which based on the information I have, I don’t think you do.

I hope this helps!