Issues with SSL on main domain

Standerd form:
My domain is: tmccraft.com

I ran this command: certbot --apache -d tmccraft.com -d panel.tmccraft.com

It produced this output:
Congratulations! You have successfully enabled https://tmccraft.com and
https://panel.tmccraft.com

My web server is (include version): Apache/2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: https://feroxhosting.nl/

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): -

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Hello everyone! I seem to have some issues getting ssl to work correctly at mijn domain tmccraft.com i'll get the error. it's probably some dumb thing that I do wrong I'm not really that experienced when it comes to all the linux/webserver stuff.

My situation is as follows. I recently bought a vps with it's main purpose being to run a small minecraft server network. For that I use multicraft as my contol panel which is accessible through panel.tmccraft.com to install it all I used the following guide: "https://www.heyvaldemar.com/installing-multicraft-on-ubuntu-server/" now that worked great, ssl was worked fine on the sub domain panel.tmccraft.com as it still does as you can see for yourself. So now I also liked to have a website for the server, so I followed the following guide to install a wordpress site: How To Install WordPress with LAMP on Ubuntu 18.04 | DigitalOcean
However now I ran into an issue: NET::ERR_CERT_COMMON_NAME_INVALID for some reason this time it didn't work. Now I tried some different things to see if I could fix it, like merging the panel.tmccraft.com.conf and tmccraft.com.conf and the regenerating the ssl conf. to no avail so far. So i'll list my current config and the cerbot command that I ran maybe you guys can spot what the error is.
my tmccraft2.com.conf file:

<VirtualHost 188.40.172.125:80>
ServerAdmin mulder00thomas@gmail.com
ServerName tmccraft.com
DocumentRoot /var/www/wordpress
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =tmccraft.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost 188.40.172.125:80>
ServerName panel.tmccraft.com
DocumentRoot /var/www/html/multicraft
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =panel.tmccraft.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

tmccraft2.com-le-ssl.conf:

ServerAdmin mulder00thomas@gmail.com ServerName tmccraft.com DocumentRoot /var/www/wordpress ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/panel.tmccraft.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/panel.tmccraft.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf



<VirtualHost 188.40.172.125:443>
ServerName panel.tmccraft.com
DocumentRoot /var/www/html/multicraft
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/panel.tmccraft.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/panel.tmccraft.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

the command I ran and it's output:

root@TMCProductions:~# certbot --apache -d tmccraft.com -d panel.tmccraft.com > Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificat e name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/panel.tmccraft.com.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/tmccraft2.com- le-ssl.conf
Enabling available site: /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/tmccraft2.com- le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP ac cess.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/tmccraft2.com.conf to ssl vhost in /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/tmccraft2.com.conf to ssl vhost in /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf


Congratulations! You have successfully enabled https://tmccraft.com and
https://panel.tmccraft.com

You should test your configuration at:
SSL Server Test: tmccraft.com (Powered by Qualys SSL Labs)
SSL Server Test (Powered by Qualys SSL Labs)


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/panel.tmccraft.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/panel.tmccraft.com/privkey.pem
    Your cert will expire on 2021-03-27. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

I hope anyone knows what to do, I wouldn't mind resetting it again and doing it again if someone knows how. If you need more info please let me know.

Greetings Thomas Mulder.

1 Like

You're redirecting from tmccraft.com to www.tmccraft.com which isn't included in the certificate.

1 Like

how would I fix that exactly? Sorry I'm really not too familiar with this stuff.

1 Like

Hi @TMCThomas

you have to create a certificate with three domain names. Change your command and read

https://certbot.eff.org/docs/using.html

1 Like

So you mean creating a third virutalhostfile like this?
<VirtualHost 188.40.172.125:80>
ServerAdmin mulder00thomas@gmail.com
ServerName www.tmccraft.com
DocumentRoot /var/www/wordpress
ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.tmccraft.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

and then running certbot like this?

certbot --apache -d tmccraft.com -d www.tmccraft.com -d panel.tmccraft.com

If you look at your certbot command and my remark, it shouldn't be too difficult to see what you'd need to do to fix it. :slight_smile:

If the www subdomain is exactly the same as the apex domain, it isn't necessary to add a separate virtualhost for that. See the Apache documentation for ServerAlias. There's a good chance you've already have something like that. You can see an overview of your virtualhosts with apachectl -S

1 Like

hmm tried adding www.tmccraft.com but that didn't go smoothly unfortunatly (or do you mean replacing tmccraft.com with www.tmccraft.com?) It gives me the following error:

root@TMCProductions:~# certbot --apache -d tmccraft.com -d panel.tmccraft.com -dwww.tmccraft.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/panel.tmccraft.com.conf)

It contains these names: tmccraft.com, panel.tmccraft.com

You requested these names for the new certificate: tmccraft.com,
panel.tmccraft.com, www.tmccraft.com.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.tmccraft.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/tmccraft2.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/tmccraft2.com-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of www.tmccraft.com.
Which virtual host would you like to choose?


1: tmccraft2.com.conf | tmccraft.com | | Enabled
2: tmccraft2.com.conf | panel.tmccraft.com | | Enabled
3: tmccraft2.com-le-ssl.conf | tmccraft.com | HTTPS | Enabled
4: tmccraft2.com-le-ssl.conf | panel.tmccraft.com | HTTPS | Enabled


Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 1
The selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration.
VirtualHost not able to be selected.

IMPORTANT NOTES:

  • Unable to install the certificate
1 Like

You didn't add the subdomain to Apache it seems. Did you read my remark about ServerAlias? What's the output of apachectl -S?

1 Like

Oh i hadn't yet indeed, i've now added it, my current config file (tmccraft2.com.conf) is:

<VirtualHost 188.40.172.125:80>
ServerAdmin mulder00thomas@gmail.com
ServerName tmccraft.com
ServerAlias www.tmccraft.com
DocumentRoot /var/www/wordpress
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost

<VirtualHost 188.40.172.125:80>
ServerName panel.tmccraft.com
DocumentRoot /var/www/html/multicraft
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost

I have in the mean removed and disabled the ssl.config (tmccraft.com-le-ssl.conf) to start fresh, however it gives me this error now:

root@TMCProductions:~# certbot --apache -d tmccraft.com -d panel.tmccraft.com -d www.tmccraft.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/panel.tmccraft.com.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
No vhost exists with servername or alias of tmccraft.com. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config.
No vhost selected

the output from apachectl -S is:

root@TMCProductions:~# apachectl -S
AH00557: apache2: apr_sockaddr_info_get() failed for TMCProductions
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

1 Like

I'm confused. Your apachectl -S output does not reference any virtualhosts at all.

Earlier, you had the Apache site configuration files tmccraft2.com.conf and tmccraft2.com-le-ssl.conf? And now you previously also had tmccraft.com-le-ssl.conf? Where does the "2" come from?

It seems tmccraft2.com.conf isn't seen by Apache at all, looking at the output of apachectl -S. In which directory is it? Is it enabled?

1 Like

Oh i'm an idiot I forgot to re-enable tmccraft2.com.conf. did that now "apachectl -S" outputs the following:

VirtualHost configuration:
188.40.172.125:80 is a NameVirtualHost
default server tmccraft.com (/etc/apache2/sites-enabled/tmccraft2.com.conf:1)
port 80 namevhost tmccraft.com (/etc/apache2/sites-enabled/tmccraft2.com.conf:1)
alias www.tmccraft.com
port 80 namevhost panel.tmccraft.com (/etc/apache2/sites-enabled/tmccraft2.com.conf:10)

I started out with 2 seperate conf files (tmccraft.com.conf and panel.tmccraft.com.conf) later (in an attempt to fix things) merged those 2 into one which I called tmccraft2.com.conf (since i kept the old ones just in case)

With tmccraft2.com.conf now enabled should I try to do?
certbot --apache -d tmccraft.com -d www.tmccraft.com -d panel.tmccraft.com

1 Like

I believe it should work properly now, yes.

1 Like

Unfortunatly ran into issue's again:

root@TMCProductions:~# certbot --apache -d tmccraft.com -d panel.tmccraft.com -d www.tmccraft.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/panel.tmccraft.com.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Created an SSL vhost at /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
An unexpected error occurred:
ValueError: Unable to set value to path!
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/panel.tmccraft.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/panel.tmccraft.com/privkey.pem
    Your cert will expire on 2021-03-27. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"

The log file contains the following:

2020-12-27 07:51:42,692:INFO:certbot_apache.configurator:Created an SSL vhost at /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
2020-12-27 07:51:42,701:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
2020-12-27 07:51:42,802:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
2020-12-27 07:51:42,803:INFO:certbot_apache.override_debian:Enabling available site: /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
2020-12-27 07:51:42,836:INFO:certbot_apache.configurator:Created an SSL vhost at /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
2020-12-27 07:51:42,989:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-available/tmccraft2.com-le-ssl.conf
2020-12-27 07:51:43,080:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/client.py", line 516, in deploy_certificate
fullchain_path=fullchain_path)
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 336, in deploy_cert
self._deploy_cert(vhost, cert_path, key_path, chain_path, fullchain_path)
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 446, in _deploy_cert
self._add_dummy_ssl_directives(vhost.path)
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 1431, in _add_dummy_ssl_directives
"insert_cert_file_path")
File "/usr/lib/python3/dist-packages/certbot_apache/parser.py", line 329, in add_dir
self.aug.set(aug_conf_path + "/directive[last() + 1]", directive)
File "/usr/lib/python3/dist-packages/augeas.py", line 187, in set
raise ValueError("Unable to set value to path!")
ValueError: Unable to set value to path!

2020-12-27 07:51:43,080:DEBUG:certbot.error_handler:Calling registered functions
2020-12-27 07:51:43,082:DEBUG:certbot.reporter:Reporting to user: Unable to install the certificate
2020-12-27 07:51:43,082:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1126, in run
_install_cert(config, le_client, domains, new_lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 760, in _install_cert
path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 516, in deploy_certificate
fullchain_path=fullchain_path)
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 336, in deploy_cert
self._deploy_cert(vhost, cert_path, key_path, chain_path, fullchain_path)
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 446, in _deploy_cert
self._add_dummy_ssl_directives(vhost.path)
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 1431, in _add_dummy_ssl_directives
"insert_cert_file_path")
File "/usr/lib/python3/dist-packages/certbot_apache/parser.py", line 329, in add_dir
self.aug.set(aug_conf_path + "/directive[last() + 1]", directive)
File "/usr/lib/python3/dist-packages/augeas.py", line 187, in set
raise ValueError("Unable to set value to path!")
ValueError: Unable to set value to path!
2020-12-27 07:51:43,083:ERROR:certbot.log:An unexpected error occurred:

Thanks for your time so far!

EDIT:
When I omit www.tmccraft.com and run it like this again: "certbot --apache -d tmccraft.com -d panel.tmccraft.com" it works fine again (but with the ssl error for tmccraft.com) really odd

1 Like

If this

is your vHost configuration, you should create two different certificates, not one.

The list of domains per vHost should match the list of your domain names in your command.

1 Like

It's not related to your error, but that's the wrong choice! (It really should be deleted from certbot...) It said you already had a certificate with all the domains you required. Renewing doesn't help in that case: it's the installing of the cert giving you trouble, not the certificate issuance. You should choose "1" when asked to install the correct certificate you already have.

In addition to what @JuergenAuer correctly states here: this is a limitation of certbot I overlooked earlier. Apache is fine with multiple virtualhosts in a single file, but certbot works best with one virtualhost per file.

I do find the certbot error kinda strange though.. The fact it presents a "ValueError" (which is a Python error) means this error wasn't catched properly in certbot I think.

All of this might have been fixed in more recent versions of certbot by the way. You're using 0.31.0 which is pretty old.

1 Like

ah ok, I first selected "1" but that didn't work so I thought I might aswell try "2" aswell :slight_smile:

It works now! Thanks a lot for the help! :smiley:

1 Like

I would like to urge you to think first before you do :wink: While the certificate might be free for you, Let's Encrypts resources aren't free and every extra "useless" certificate issued is a shame.

:+1:

1 Like

Good point haha, I was so frustrated with it that I was willing to try everything :sweat_smile: I must say I didn't know it worked that way, that's indeed a waste of resources!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.