I used a certificate from letsencrypt but for some reason cworklog.com is giving me cert warnings unless I go to www.cworklog.com for example cworklog.com/quiz How do I fix this?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
cworklog.com

I used a certificate from letsencrypt but for some reason cworklog.com is giving me cert warnings unless I go to www.cworklog.com for example cworklog.com/quiz How do I fix this?

1 Like

Hi @relipse

you have created the wrong certificate, see https://check-your-website.server-daten.de/?q=cworklog.com#certificates

Your certificate:

CN=www.cworklog.com
	08.04.2021
	07.07.2021
expires in 67 days	www.cworklog.com - 1 entry

There is no non-www version, so your non-www version is insecure.

Create one certificate with both domain names and use that instead.

1 Like

That certificate already exists:

https://crt.sh/?id=4345852315

It's just not used currently.

1 Like

How do I create one cert with both domains or how do I use the one that currently exists rather?
I am on debian 10 buster

1 Like

You don't need to create one, you already have one.

1 Like

How do I use it then?

1 Like

I don't know, because I don't know which software you're using, how you got your certificates in the first place et cetera et cetera.

You have deleted most of the questions from the questionnaire. Therefore, you've left us with a guessing game.

1 Like

I am on Debian 10 buster.

That's way not enough information. Please answer the other questions from the questionnaire as well:

I ran this command to get the certificate(s):

It produced this output:

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

I ran this command to get the certificate(s):
(I can't remember exactly but I think it was:
sudo certbot --apache -d www.cworklog.com --post-hook "/usr/sbin/service apache2 restart"

It produced this output:
I am afraid to run it again lest i mess something up.
My web server is (include version):
13:28 /home/deploy $ /usr/sbin/apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2020-08-25T20:08:29

My hosting provider, if applicable, is:
Linode
I can login to a root shell on my machine (yes or no, or I don't know):
Yes I have root access to the shell.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no, just root access

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

2 Likes

Thanks for reposting the questions

2 Likes

Read your command:

There is one domain name, not two.

1 Like

Awesome, I read the -h and used comma separated domain names and it said an existing cert existed and I reinstalled that.

I think it's working.

2 Likes

Yep, now that certificate

CN=cworklog.com
	08.04.2021
	07.07.2021
expires in 67 days	cworklog.com, hopewidells.com, 
sharpmailer.us, www.cworklog.com, 
www.hopewidells.com, www.sharpmailer.us - 6 entries

is used, so both connections are secure.

Now you can fix some other things (two http status 200, no preferred version www or non-www).

2 Likes

How do I fix the stuff that you mentioned?

1 Like

Welcome to the Let's Encrypt Community, James :slightly_smiling_face:

Glad you got your certificate working! What JuergenAuer is recommending is what's known as a "canonical name", which ensures singular URL addressing for your website and helps with SEO.

I recommend starting by choosing either non-www (aka naked) or www then looking at your VirtualHost configuration for apache:

sudo apachectl -S


As a side note, this is probably not the best certbot command for you:

sudo certbot --apache -d "cworklog.com,www.cworklog.com" --post-hook "/usr/sbin/service apache2 restart"

Since you're using both the apache authenticator and installer, the installer will reload apache for you when the authenticator successfully acquires/renews your certificate. Therefore you don't need to restart it with a hook. Moreover, the post hook will run EVERY time a renewal attempt is made, even if your certificate is not actually renewed (due to not being close to expiry). The deploy hook is more appropriate, but still not necessary here.

You would also want to gracefully reload apache to prevent downtime rather than doing a hard restart:

sudo apachectl -k graceful

This is a better certbot command for you:

sudo certbot --apache -d "cworklog.com,www.cworklog.com"

Read the output of your check result. There is your complete answer.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.