I'm currently configured with a wildcard cert for my domain (siddique.ca) that I use for some of my internally focused websites as well as for other things like home automation. I wanted to create a couple of websites I could host for my kids, thecookieavenue.com and vuerto.ca. I created specific certs for each of the kid ones.
On my Ubuntu Server running Apache, the config for the sites seem to be fine. However, when I try to open any of the child sites, I get it redirecting to my siddique.ca wildcard.
Is there any way to to have it so the same host can have wildcards for some sites about 4 in total using the wildcard, and two specific ones for cookie and vuerto? Currently using certbot 2.11.0.
Sure, you just have a VirtualHost for each set of domain names related to the cert for them. You use ServerName and ServerAlias statements to list the names handled by that VirtualHost
What does this show
sudo apache2ctl -t -D DUMP_VHOSTS
You may need apachectl or httpd for your system. You did not answer the questions you should have been shown so I don't know which is correct.
This is more an Apache config issue than it is a cert issue. Although, depending how you requested the cert it may affect the auto-renewal. Showing the command(s) you used to get the cert would help us advise you better.
Thanks Mike.
I apologize for not answering those questions but I had thought they might not be related to what I was asking.
Regarding the output of the dump hosts:
VirtualHost configuration:
173.183.225.166:443 is a NameVirtualHost
default server d173-183-225-166.abhsia.telus.net (/etc/apache2/sites-enabled/farley-le-ssl.conf:1)
port 443 namevhost d173-183-225-166.abhsia.telus.net (/etc/apache2/sites-enabled/farley-le-ssl.conf:1)
port 443 namevhost d173-183-225-166.abhsia.telus.net (/etc/apache2/sites-enabled/fool-le-ssl.conf:1)
port 443 namevhost d173-183-225-166.abhsia.telus.net (/etc/apache2/sites-enabled/pantheon-le-ssl.conf:1)
port 443 namevhost d173-183-225-166.abhsia.telus.net (/etc/apache2/sites-enabled/personal-le-ssl.conf:1)
173.183.225.166:80 is a NameVirtualHost
default server farley.siddique.ca (/etc/apache2/sites-enabled/farley.conf:1)
port 80 namevhost farley.siddique.ca (/etc/apache2/sites-enabled/farley.conf:1)
port 80 namevhost fool.siddique.ca (/etc/apache2/sites-enabled/fool.conf:1)
port 80 namevhost pantheon.siddique.ca (/etc/apache2/sites-enabled/pantheon.conf:1)
port 80 namevhost personal.siddique.ca (/etc/apache2/sites-enabled/personal.conf:1)
*:443 is a NameVirtualHost
default server thecookieavenue.com (/etc/apache2/sites-enabled/cookie-le-ssl.conf:2)
port 443 namevhost thecookieavenue.com (/etc/apache2/sites-enabled/cookie-le-ssl.conf:2)
port 443 namevhost vuerto.ca (/etc/apache2/sites-enabled/vuerto-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server thecookieavenue.com (/etc/apache2/sites-enabled/cookie.conf:1)
port 80 namevhost thecookieavenue.com (/etc/apache2/sites-enabled/cookie.conf:1)
port 80 namevhost vuerto.ca (/etc/apache2/sites-enabled/vuerto.conf:1)
Looking at this, I can see what you mean about this being more of an apache issue with the defaults set the way they are. In my conf files for each one, I did set the server names but I hadn't updated the aliases. I'll try to do that now.
In those two config files you have a VirtualHost statement using the IP-based method. You need to change that to name based by changing their VirtualHost statements so they are like your new ones. So like these
<VirtualHost *:80>
<VirtualHost *:443>
Mixing IP and name-based VHosts often is problematic. The IP based "latch" the incoming first which is why you see all your requests going to the same place.
Thanks Mike. I think the fact that I used to change the virutalhost to be named invidually is a hold over from some old config I had where having it as just a wildcard didn't work. That said, I did correct as per your suggestions and things are looking like they're working now.
No worries. If all your VirtualHosts name the correct IP it also would have worked. It is just easier to manage by using the *:port format (which relies purely on SNI then)
except for the very unusual cases were IP:Port is required