I am getting one issue that now I am unable to assign SSL to my sub domains. All sub domains are pointed to server with its IP. But still not working


#1

Please refer below my details -
A) My domain is: pasa.skop.es, rts.skop.es, rdb.skop.es

B) I ran this command:
I tried two methods -

First I just run command - certbot --apache -d <sub domain name>
This installed the SSL and i was able to see https. But after few hours it stopped. But now it is not working after run above command.

C) It produced this output: No issue i got during the assigning of SSL to domain.

D) My web server is (include version): Dedicated Linux Vultr DO server

E) The operating system my web server runs on is (include version): Ubuntu

F) My hosting provider, if applicable, is: Vultr DO

G) I can login to a root shell on my machine (yes or no, or I don’t know): Yes I can run in my SSH

H) I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No I have only my SSH access and handle everything from there.

So please check my comments and help me to fix.


#2

All those domains now seem to be returning a certificate for seilevel.skop.es. I guess maybe your Apache is misconfigured somehow and is returning that certificate for the wrong domains? If you share the Apache configuration for the relevant domains we may be able to figure out why. Also apachectl -S often provides useful information in situations like this.


#3

Hi Thanks for the reply.
http://console.skop.es/new-apache-configuration.tar.gz
Sent you apache configuration. So now I am unable to add ssl. So I think you are right. Could you please tell me what apache configured is missed or wrong. SO i can fix it. I will wait for your reply.


#4

Ok so you have no <VirtualHost *:443> section with a ServerName or ServerAlias for two of those three names (rts.skop.es, rdb.skop.es), so instead they’re being picked up by the ServerAlias *.skop.es on line 50 of /etc/apache2/sites-enabled/lite.skop.es-le-ssl.conf. That virtual host specifies a certificate and key from /etc/letsencrypt/live/seilevel.skop.es/ so I guess that’s where the wrong certificate is coming from.

You need to define a <VirtualHost *:443> for each of those domains. certbot --apache should have done this automatically for you, but since it apparently didn’t, you can create the files yourself by copying the <VirtualHost *:80> versions, change 80 to 443, add <IfModule mod_ssl.c> at the top and </IfModule> at the bottom, and replace the rewrite stuff near the end with the SSL directives which you can copy from one of the other *-le-ssl.conf files and change the certificate and key locations to the correct ones for those subdomains.

The third subdomain, pasa.skop.es does have a matching virtual host on port 443. However because the *.skop.es virtual host is in a file that comes before it in alphabetical order, and its wildcard ServerAlias also matches pasa.skop.es, that takes precedence over the correct one and serves the wrong certificate (and presumably also the wrong content). So you need to correct that. I’d suggest taking that second VirtualHost definition out of lite.skop.es-le-ssl.conf and putting it in another file - either something like seilevel.skop.es-le-ssl.conf if it’s meant to be for the subdomain that’s in its certificate (in which case you should also change the ServerName to that name and remove the ServerAlias), or if you really want it to be an any-subdomain fallback, put it in a file with a name beginning with z or something so it comes last. You might also need to get a wildcard certificate in that case though.

Fixing that might even make certbot --apache work correctly again, I dunno. Might be worth a try.


#5

Hi thanks for the great suggestion. Yes it is working fine now after deleting entry from lite.skop.es-le-ssl.conf file.

Thanks again. Now i am able to add SSL… I will check for its working for next couple of days and will ask if any issue.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.