Making SSL certificate for redirector-only URLs

Hi all, I’ve Apache installed in my Parabola GNU/Linux installation (Arch based), with Let’s Encrypt for my websites. I was wondering if I could make a certificate for redirector URLs, lets say example.com forwards to example.org, everything fine until that, but if typing https://example.com then it fails and forwards to other of my SSL’ed websites. I know that most web browsers default to http:// but I’d like to do this anyway (read at the end).

The problem here is that when creating the certificate, certbot asks me to tell him the webroot, but redirectors do not have a webroot. I’ve tried with the standalone method, but it fails.

$ sudo certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): example.com
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for example.com
Cleaning up challenges
Problem binding to port 443: Could not bind to IPv4 or IPv6.

If I could create one certificate valid for multiple domains (e.g. a SSL valid for example.com and example.org) would be fantastic, but AFAIK that’s not possible.

At least if I could completely disable the SSL engine for those domains would also be ok, because (as I already said) the problem is that they redirect to other SSL’ed websites hosted in the same machine. For example, http://example.com redirects to http://example.org but https://example.com fails and redirects to https://mywebsite.com and that’s really annoying.

I hope I was clear in my explanation, thanks in advance :slight_smile:

For the standalone method, you should stop your existing web server temporarily. (You can use --pre-hook and --post-hook to specify commands that do this, like --pre-hook "service apache stop" --post-hook "service apache start".

1 Like

thanks, that helped :smiley:
why do I need to stop the web server for it to work? Just want to know for curiosity

P.S: Do I have to do the same when renewing those certificates?

The point of “standalone” is that it’s an alternative to having an existing web server. It works by creating its own web server which listens on port 443. If you do have an existing web server that’s listening on port 443, the standalone web server won’t be able to do that because only one process can listen on a particular port number on a particular network interface at a time.

Yes, but if you used --pre-hook and --post-hook, Certbot should remember those options and do that for you automatically if you use certbot renew. If you didn’t, you can also specify --pre-hook and --post-hook for the certbot renew command itself.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.