Install Lets Encrypt for domain with multiple dots in apache. ubuntu

Hi,

I have been assigned with below task & I want to know if we can proceed with this task or not?
At present for e.g. my one website example.ca. is already running at 1 server and on 2nd server, my other website is running at example.com. Also, SSL certificates are already installed on both of them. Now I want to host another website on my 2nd server with domain name : example.ca.example.com.
So I want to confirm if its possible to install Let's encrypt for domain like this?

My domain is: example.ca.example.com

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 20.04.4 LTS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

DNS : Rebel DNS

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.23.0

Yes, it's possible as long as your DNS is configured correctly.

There is a limit on overall length for the FQDN, and each label.

A fully qualified domain name consists of a list of domain labels representing the hierarchy from the lowest relevant level in the DNS to the top-level domain (TLD). The domain labels are concatenated using the full stop “.” character (dot or period) as a separator between labels. The length of each label must be between 1 and 63 octets, and the full domain name is limited to 255 octets, full stops included. Fully qualified domain name - Wikipedia

Thanks for your response.
I created a directory:
mkdir -p /var/www/example.ca.example.com
I then created a configuration file -> example.ca.example.com.conf
Added below parameters:
ServerName : example.ca.example.com
DocumentRoot: /var/www/example.ca.example.com

then I did Apachectl -S -> o/p was ok
systemctl restart apache2
certbot --apache --expand --cert-name example.com -d example.com -d example.ca.example.com

You are updating certificate yellowray.dev to include new domain(s):

• example.ca.example.com
  You are also removing previously included domain(s):
  (None)

Did you intend to make this change?

(U)pdate certificate/(C)ancel: U
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2022-05-24.
Deploying certificate

After installation, I am unable to access my example.ca website hosted on 1 st server, however I am able to access example.ca.example.com & example.com hosted on 2nd server but they are displaying same html file. however the path to root directory was different.
Also, I am able to ping the IP of 2nd server but it is not secure now.
things messed now, can you please suggest how can I access all three websites and also secure my IP address for 2nd server

Did you want a single certificate for both names? The expand option is finicky.

It's time to share them domain names.

I am not sure. Shall I delete the certbot & start over again with
certbot --apache2?

Why delete something and start all over again if you haven't even tried fixing it? Or determine if there is an issue to begin with? (From my point of view that is..)

Haphazardly deleting stuff and starting over can lead you to run into rate limits.

Yes that's true. Is their any way I could host multiple websites at example.ca, example.com, & example.ca.example.com. Although example.ca was running on different server but after installing certificate for example.ca.example.com, I am not able to access my example.ca.

Then you should focus your attention on the webservers configuration file(s). For example, by checking the output of the command:

sudo apachectl -t -D DUMP_VHOSTS

PFA Output:
VirtualHost configuration:
X.X.X.X:443 example.ca.example.com (/etc/apache2/sites-enabled/example.ca.example.com-le-ssl.conf:2)
X.X.X.X:80 example.ca.example.com (/etc/apache2/sites-enabled/example.ca.example.com.conf:1)
127.0.1.1:80 is a NameVirtualHost
default server example.com (/etc/apache2/sites-enabled/example.com.conf:1)
port 80 namevhost example.com (/etc/apache2/sites-enabled/example.com.conf:1)
alias www.example.com
*:443 example.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 example.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:39)

Personally, I'm not a fan of mixing IP based virtualhosts with name based virtualhosts. This can lead to all kinds of unexpected behaviour, probably also the case here.

If you don't require IP based virtualhosts, I recommend to change all the virtualhosts to name based virtualhosts.

This is how my configuration file looks like.. I haven't added any information regarding my IP address. I dont know from where its picking address .

    ServerAdmin webmaster@localhost
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com


    ErrorLog ${APACHE_LOG_DIR}/error_example.com.log
    CustomLog ${APACHE_LOG_DIR}/access_example.com.log combined

    ServerAdmin webmaster@localhost
    ServerName example.ca.example.com
    DocumentRoot /var/www/example.ca.example.com


    ErrorLog ${APACHE_LOG_DIR}/error_example.ca.example.com.log
    CustomLog ${APACHE_LOG_DIR}/access_example.ca.example.com.log combined

Those are usually taken from the <VirtualHost ...:443> part.

I dont find any entry here as well
000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

       

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerName example.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.comv/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>

  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>

=========================================================================

<IfModule mod_ssl.c>
<VirtualHost example.ca.example.com:443>

        ServerAdmin webmaster@localhost
        ServerName example.ca.example.com

        DocumentRoot /var/www/example.ca.example.com


      ErrorLog ${APACHE_LOG_DIR}/error_example.ca.example.com.log
        CustomLog ${APACHE_LOG_DIR}/access_example.ca.example.com.log combined


SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Here your hostname would be resolved to an IP address by Apache.

Also, having duplicate VirtualHosts for example.com in both example.com.conf as in 000-default-le-ssl.conf is not recommended. For some reason there's also a HTTP virtualhost in 000-default-le-ssl.conf, which is weird.

Thanks for the suggestion.
Yes now I have removed the duplicate virtual host configuration in 000-default-le-ssl.conf & refreshed the apache services but it didn't make any change in current situation.

Did you also change the usage of the hostname in the <VirtualHost> tag to a *?

you mean <VirtualHost *:443> right ?

Yes. And also for the HTTP virtualhost on port 80. Everything using * will make your life more easy regarding Apaches VirtualHosts. (Unless you actually require IP based virtualhosts, but that's unlikely.)

Thank you so much that worked. I am able to access my example.com & example.ca.example.com perfectly fine.
I am also able to access my example.ca via http but ssl certificate is removed. So do i need to re do the ssl certificate on that server?
Addtionally, I am also able to ping my ip of current server but its not secure. is there any way I could make it secure or redirect the traffic from my http:ip to my example.com or example.ca.example.com.

Could also be the HTTP to HTTPS redirect isn't there any more. Please show the output of sudo apachectl -t -D DUMP_VHOSTS again.

How are "ping" and "secure" related? I've never heard of a "secure ping".

In theory, sure. Most easy would be to add a specific redirect recognising your IP address within the "default" HTTP VirtualHost. As Let's Encrypt doesn't offer certificates for IP addresses, you can't secure your IP address as a hostname using a Let's Encrypt certificate though, so HTTPS wouldn't work for your IP address.