Missing a SSLCertificateFile or Alias are wrong?

Help
1

I created 2 certs at different times on the same server

Problem

I access https://pbaclouda2019.com just fine
https://pbacloudb2019.com says insecure [connection not private ..]
If I hit advanced and proceed to the sit,e it redirects itself to
http://www.pbaclouda.com/ (note no https and not on the server I am testing)

Create First Certificate likes this

certbot certonly --apache --dry-run -d pbacloudb2019.com -d www.pbacloudb2019.com -d pbacloudb2019-doctortest.com -d www.pbacloudb2019-doctortest.com

certbot --apache -d pbacloudb2019.com -d www.pbacloudb2019.com -d pbacloudb2019-doctortest.com -d www.pbacloudb2019-doctortest.com

see Certificate Name: pbacloudb2019.com below

Create second Certificate likes this

certbot certonly --apache --dry-run -d pbaclouda2019.com -d www.pbaclouda2019.com -d pbaclouda2019-doctortest.com -d www.pbaclouda2019-doctortest.com

certbot --apache -d pbaclouda2019.com -d www.pbaclouda2019.com -d pbaclouda2019-doctortest.com -d www.pbaclouda2019-doctortest.com

see Certificate Name: pbaclouda2019.com below

show my certificates certbot certificates

Found the following certs:
Certificate Name: pbaclouda2019.com
Domains: pbaclouda2019.com pbaclouda2019-doctortest.com www.pbaclouda2019-doctortest.com www.pbaclouda2019.com
Expiry Date: 2019-08-23 18:37:43+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/pbaclouda2019.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pbaclouda2019.com/privkey.pem
Certificate Name: pbacloudb2019.com
Domains: pbacloudb2019.com pbacloudb2019-doctortest.com www.pbacloudb2019-doctortest.com www.pbacloudb2019.com
Expiry Date: 2019-08-21 19:24:22+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/pbacloudb2019.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pbacloudb2019.com/privkey.pem

I Look in my
/etc/apache2/sites-enabled/000-default-le-ssl.conf

ServerName pbacloudb2019.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.pbacloudb2019.com
ServerAlias pbacloudb2019-doctortest.com
ServerAlias www.pbacloudb2019-doctortest.com
ServerAlias pbaclouda2019.com
ServerAlias www.pbaclouda2019.com
ServerAlias pbaclouda2019-doctortest.com
ServerAlias www.pbaclouda2019-doctortest.com
SSLCertificateFile /etc/letsencrypt/live/pbaclouda2019.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pbaclouda2019.com/privkey.pem

So I need to understand ServerAlias

And why I only see one
SSLCertificateFile ?

My server

Ubuntu 18.04 LTS
Apache/2.4.29 (Ubuntu)

Rackspace - shell access

I get this msg when creating certs
We were unable to find a vhost with a ServerName or Address of www.pbaclouda2019.com.
Which virtual host would you like to choose?

1: 000-default.conf | | | Enabled
2: 000-default-le-ssl.conf | Multiple Names | HTTPS | Enabled

I always answered 2

More about the project
https://garyjohnson53.wordpress.com/2019/05/23/letsencrypt-multi-domain-san/

2

Hi @gmgj

your configuration doesn't match your certificates.

One vHost -> one certificate.

So you have two options:

Create two vHosts (one a, one b), create two certificates, vHost a uses certificate a, vHost b certificate b.

Or use one single vHost (that's your current setup). Then you need one certificate with all names (a + b).

So your b domains (checked https://check-your-website.server-daten.de/?q=pbacloudb2019.com ) have the a-certificate:

CN=pbaclouda2019.com
	25.05.2019
	23.08.2019
expires in 89 days	pbaclouda2019-doctortest.com, 
pbaclouda2019.com, www.pbaclouda2019-doctortest.com, 
www.pbaclouda2019.com - 4 entries

and https can't work.

To change: Copy the current vHost config file to a new version "b", from "a" remove all "b" entries, from "b", remove all "a" entries, then change the certificate of vHost "b".

1 Like
3

Thank you. I want to see if I understand this.
I will write a post with a description of the commands and files I need to do to support this kind of setup in case someone else can use this.
But, I need to get it working first.

My current setup - one vhost
/etc/apache2/sites-enabled/000-default-le-ssl.conf

The top of that file

<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

if I choose the option to
Create two vHosts (one a, one b), create two certificates, vHost a uses certificate a, vHost b certificate b.

  1. are they 2 different files?
    /etc/apache2/sites-enabled/000-default-le-sslA.conf
    /etc/apache2/sites-enabled/000-default-le-sslB.conf

a Virtual Host config file for every domain pointing to the same IP?
Yes or No ?

  1. do I do anything else to the files.

I put the server name inside
ServerName pbacloudb2019.com

and / or
Do I change the <VirtualHost *:443> to pbacloudb2019.com

  1. I should create the virtual hosts files before I request certificates
    yes or no

  2. the server uses Name-based virtual hosting
    planning for the potential for up to 600 sites pointing to the same IP
    around 540 at this time.
    The current setup also supports A records pointing to same ip for both the www version and the non www version

example
www.pbacloudb2019.com
pbacloudb2019.com

Do I need a virtual hosts file for both the www and the non www versions ?

or is there something I can do like this with server alias?

example request a cert with both names, the non www version first ( easier for me to read)

certbot --apache -d pbacloudb2019.com -d www.pbacloudb2019.com

certbot --apache -d pbacloudb2019-doctortest.com -d www.pbacloudb2019-doctortest.com

I can edit the virtual hosts files to be in the correct format

Does this get the job done for the future

a) setup a virtual host file for a cert and a domain (see 1 and 2 above)

reguest certs like this
certbot --apache -d pbaclouda2019.com -d www.pbaclouda2019.com

can I do this - one cert for both the non www and the www

A) the VHOSTs file A (also what the edited version would look like)
/etc/apache2/sites-enabled/000-default-le-sslA.conf

after requesting the cert, it should look like this

ServerName pbaclouda2019.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias pbaclouda2019.com
ServerAlias www.pbaclouda2019.com
SSLCertificateFile /etc/letsencrypt/live/pbaclouda2019.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pbaclouda2019.com/privkey.pem

Is there a ServerAlias pbaclouda2019.com line if there is a ServerName pbaclouda2019.com line?

If I have the vhost file set up correctly, I will not get this message?

We were unable to find a vhost with a ServerName or Address of www.pbaclouda2019.com.
Which virtual host would you like to choose?

1: 000-default.conf | | | Enabled
2: 000-default-le-ssl.conf | Multiple Names | HTTPS | Enabled

example of second file after requesting cert.

B) the VHOSTs file B
/etc/apache2/sites-enabled/000-default-le-sslB.conf

ServerName pbacloudb2019.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias pbacloudb2019.com
ServerAlias www.pbacloudb2019.com
SSLCertificateFile /etc/letsencrypt/live/pbacloudb2019.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pbacloudb2019.com/privkey.pem

4

No, not every domain. You can manage different domains with one vHost.

One vHost has a ServerName and a lot of ServerAlias. But ServerName + all Alias -> the certificate should have the same list of domain name.

Yes, that's required, so Certbot knows your (correct) setup.

You can use one vHost with non-www and www domain names.

That's also possible - one vHost with www and non-www and the matching certificate.

5

I have tried to make a how to for multiple domains pointing to the same ip It is here:

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.