Hello there! I’m having and issue with the certificate from my domains, somehow it works only sometimes and some it doesn’t, I’m running 3 different domains and each one have their own VirtualHost file (80 and 443).
My domain is: intranet.lsgob.us (other domains are lsgob.us and roozgames.com)
I ran this command: certbot --apache
It produced this output: root@vps202138:/etc/apache2# ls
apache2.conf conf-available conf-enabled envvars magic mods-available mods-enabled
ports.conf sites-available sites-enabled
root@vps202138:/etc/apache2# cd sites-available/
root@vps202138:/etc/apache2/sites-available# ls
000-default.conf intranet.lsgob.us-le-ssl.conf lsgob.us-le-ssl.conf roozgames.com-le-ssl.conf
intranet.lsgob.us.conf lsgob.us.conf roozgames.com.conf
yagpdb.roozgames.com.conf
root@vps202138:/etc/apache2/sites-available# nano intranet.lsgob.us-le-ssl.conf
root@vps202138:/etc/apache2/sites-available# nano lsgob.us.conf
root@vps202138:/etc/apache2/sites-available# certbot -.apache
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: -.apache
root@vps202138:/etc/apache2/sites-available# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: lsgob.us
2: intranet.lsgob.us
3: roozgames.com
4: yagpdb.roozgames.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you
requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/intranet.lsgob.us.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/intranet.lsgob.us-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://intranet.lsgob.us
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=intranet.lsgob.us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/intranet.lsgob.us/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/intranet.lsgob.us/privkey.pem
Your cert will expire on 2018-12-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@vps202138:/etc/apache2/sites-available#
My web server is (include version): Apache2
The operating system my web server runs on is (include version): Ubuntu 16.04 Xenial
My hosting provider, if applicable, is: OVH
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
I have restarted my apache2 service and I’m getting the certificate mismatch error (It says that theres one for lsgob.us) and its also redirecting me to that folder, as you can see in this image files are from lsgob domain and not intranet.lsgob.us http://prntscr.com/kwo0ii http://prntscr.com/kwo1o2
Hi,
Do you happen to resolve that issue?
Since it’s working correctly now.
Thank you
I didn’t I did sudo service apache2 restart and stopped working, and then I did service apache2 reload and works a but other pages like lsgob.us doesn’t
Hi @arkerooz
the certificate is ok (old, created 20. Juli 2018, but correct).
[Edit]: Ok, the site is "temporarily unavailable", so the content may be created from your hoster. Then you can't fix these warnings. But what does not work?
But there are a lot of mixed content warnings, you should fix them.
Use Chrome or FireFox, then CTRL + Shift + I, that opens the console.
There you see a lot of blocked files (css and other).
http://www.ipage.com/xslt/elements/generic_csscomponent.css
http://www.ipage.com/generalAppC/scriptcat/87ae207201c55b84c5270851159260e1.1
Change all these links from http to https.
It works but sometimes the certificate just dissapear I mean when I join it doesn’t show me the SSL certificate, instead show me a chrome error of the mismatch. I’m not really sure why it doesn’t work sometimes. Any idea?
I see a page with a " This site is temporarily unavailable" - warning. A lot of content is blocked, so the design is missing.
But this page creates your hoster, so it is irrelevant.
Did you deactivate your page?
It may be
- only a cache problem
- your site loads different content, sometimes mixed content -> warnings
The certificate is correct - a wildcard - certificate:
DNS-Name: *.lsgob.us
DNS-Name: lsgob.us
I don’t see that. I do see lsgob.us on intranet.lsgob.us (I don’t know why), I haven’t deactivated it and It can’t be a cache problem because it worked yesterday. Any idea=?
Now I see a correct page under
https://lsgob.us/ - with a Letsencrypt - certificate created 8. September 2018.
And two links. But there with wrong certificates.
https://www.pd.lsgob.us/
https://www.intranet.lsgob.us/
both only with lsgob.us as certificate. So you have two options:
Create a certificate with the -d option and 3 or 5 names
lsgob.us pd.lsgob.us www.pd.lsgob.us intranet.lsgob.us www.intranet.lsgob.us
Or remove the www in these links and create (again) a wildcard certificate
lsgob.us *.lsgob.us
and use that.
Which option would you recommend and how do I do it? Btw. Thanks for answering
Hi
Could you please run sudo certbot certificates
and share us the result?
As the current case, you’ll need to configure tls for each of the http virtual hosts.
You could either ask certbot to install for you, or install it by yourself…
Also, you are sharing us the sites-available
folder…
We really want to know is the sites-enabled
folder… What does it contain?
Thank you
This is what I got running that command.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/www.intranet.lsgob.us.conf produced an unexpected error: expected /etc/letsencrypt/live/www.intranet.lsgob.us/cert.pem to be a symlink. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: www.lsgob.us
Domains: www.lsgob.us
Expiry Date: 2018-12-06 18:32:24+00:00 (VALID: 75 days)
Certificate Path: /etc/letsencrypt/live/www.lsgob.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.lsgob.us/privkey.pem
Certificate Name: lsgob.us
Domains: lsgob.us
Expiry Date: 2018-12-07 00:46:00+00:00 (VALID: 76 days)
Certificate Path: /etc/letsencrypt/live/lsgob.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/lsgob.us/privkey.pem
Certificate Name: intranet.lsgob.us
Domains: intranet.lsgob.us
Expiry Date: 2018-12-19 02:19:04+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/intranet.lsgob.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/intranet.lsgob.us/privkey.pem
Certificate Name: roozgames.com
Domains: roozgames.com
Expiry Date: 2018-12-07 02:01:28+00:00 (VALID: 76 days)
Certificate Path: /etc/letsencrypt/live/roozgames.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/roozgames.com/privkey.pem
The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/www.intranet.lsgob.us.conf
Thius is what I have on sites-enabled http://prntscr.com/kx6vq7 -
:80 file
<VirtualHost *:80>
ServerName intranet.lsgob.us
ServerAdmin ayuda@roozgames.com
DocumentRoot /var/www/intranet
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =intranet.lsgob.us
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
:443 file
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName intranet.lsgob.us
ServerAdmin ayuda@roozgames.com
DocumentRoot /var/www/intranet
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/intranet.lsgob.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/intranet.lsgob.us/privkey.pem
</VirtualHost>
</IfModule>
Hi,
Just wondering… Why IfModule mod_ssl.c
and IfModule
are wraping the virtual host 443 config for the intranet domain?
Could you try to remove it and restart Apache?
Thank you
Do you mean removing it and leaving it like this?
<VirtualHost *:443>
ServerName intranet.lsgob.us
ServerAdmin ayuda@roozgames.com
DocumentRoot /var/www/intranet
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/intranet.lsgob.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/intranet.lsgob.us/privkey.pem
</VirtualHost>
Yes...
If I'm correct, mod_ssl.c should not wrap an virtual host file...... (Which might be the reason the virtual host is not working?)
(Please back up the file before try this)
Thank you
Nope, not working. This is how my files looks now.
<VirtualHost *:80>
ServerName intranet.lsgob.us
ServerAdmin ayuda@roozgames.com
DocumentRoot /var/www/intranet
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =intranet.lsgob.us
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName intranet.lsgob.us
ServerAdmin ayuda@roozgames.com
DocumentRoot /var/www/intranet
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/intranet.lsgob.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/intranet.lsgob.us/privkey.pem
</VirtualHost>
<VirtualHost *:80>
ServerName lsgob.us
ServerAdmin ayuda@roozgames.com
DocumentRoot /var/www/lsgob
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =lsgob.us
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost lsgob.us:443>
ServerName lsgob.us
ServerAdmin ayuda@roozgames.com
DocumentRoot /var/www/lsgob
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/lsgob.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lsgob.us/privkey.pem
</VirtualHost>
You can use only one wildcard certificate. Sometimes, this is ok. But then www.pd.lsgob.us
would not work.
So if you want to use all www - domains, you should create three certificates with two names (www + non-www). Or one certificate with six domain names.
My own service uses a wildcard certificate, every customer has a subdomain, so I don't need certificates per customer. But www.subdomain.mydomain.de
doesnt work. Some customers are hidden, I don't want to create certificates found via Certificate Transparency.
For your service, this isn't a problem. So if people add www, they should see the correct domain.
So basically I have to create two virtualhost files for each domain? (one with www. and one without) and then create a certificate for each virtualhost file?
You can create one vHost with two server names. You can also create one vHost with the 6 domain names.
But: One vHost -> one certificate. Or: 6 vHosts -> using the same certificate. But one vHost cannot use two certificates.
The first question is about your website: Do you use one content management system or three? Are the files static so you need three different webroots?
Yes, they are static so I’m using 3 differents folders. pd.lsgob.us have his own folder, intranet his own and lsgob.us his own too
BUMP POST. Any idea? somebody?