Multiple domains on single host, can't get certificate for 2nd domain running

Help
1

Hi,
I have already a working certificate for my nextcloud installation on buelowcloud.psybnc.org . I tried to install the certificate for my second domain paulas-masks.mooo.com with certbot. However, it doesn't work. According to https://www.ssllabs.com, the server seems to send the certificate for the other domain.

My domain is:
paulas-masks.mooo.com

I ran this command:
sudo certbot --apache

It produced this output:

Summary

sudo certbot --apacheSaving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: paulas-masks.mooo.com
2: www.paulas-masks.mooo.com
3: buelowcloud.psybnc.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/paulas-masks.mooo.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/paulas-masks.mooo.com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/paulas-masks.mooo.com.conf to ssl vhost in /etc/apache2/sites-enabled/paulas-masks.mooo.com.conf

Congratulations! You have successfully enabled https://paulas-masks.mooo.com

You should test your configuration at:
SSL Server Test (Powered by Qualys SSL Labs)

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/paulas-masks.mooo.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/paulas-masks.mooo.com/privkey.pem
    Your cert will expire on 2020-07-05. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"

My web server is (include version):
Apache/2.4.38
The operating system my web server runs on is (include version):
Debian GNU/Linux 10 (buster)
My hosting provider, if applicable, is:
selfhosted
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

1 Like
2

Your website works fine: https://paulas-masks.mooo.com/

1 Like
3

Oh, my mistake. Looks like the second approach to install the certificate worked, although https://www.ssllabs.com still tells me there is a problem. Thanks for checking!

4

not really... SSL Server Test: paulas-masks.mooo.com (Powered by Qualys SSL Labs)

what problem were you referring to?

(did you put HSTS preload on on purpose? if not, remove it.)

5

That's not preloading, that's jus thte HSTS header.

6

Looks that I still had cached the old results on ssllabs.com . Before, it my server was sending the certificate for the other domain. Now everything looks fine.

1 Like
7

max-age=15768000; includeSubDomains; preload
:confused:

8

That doesn't do anything by itself as far as I know. It's just a prerequisite for inclusion when submitted for inclusion. See https://hstspreload.org/

1 Like
9

That's correct.

But if the main domain has all of the other prerequisites, everyone can submit that domain.

That's the reason I've added a warning:

Warning: HSTS preload sent, but not in Preload-List. Never send a preload directive if you don't know what preload means. Check https://hstspreload.org/ to learn the basics about the Google-Preload list. If you send a preload directive, you should immediately add your domain to the HSTS preload list via https://hstspreload.org/ . If Google accepts the domain, so the status is "pending": Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version. So you will see this message some months. If you don't want that or if you don't understand "preload", but if you send a preload directive and if you have correct A-redirects, everybody can add your domain to that list. Then you may have problems, it's not easy to undo that. So if you don't want your domain preloaded, remove the preload directive.

1 Like
10

yeah, but anyone can submit it if the header contains preload (but subdomains aren’t eligible for inclusion)

1 Like
11

Oeehh, good point guys, especially now we’ve let the whole world known they can add the site… :face_with_raised_eyebrow:

1 Like
12

No.

There is a Grade B warning:

B warning: HSTS max-age is too short - minimum 31536000 = 365 days required, 15768000 seconds = 182 days found

That blocks.

But there are a lot of domains with A and with that warning.

PS: And it's a subdomain, mooo.com isn't a Public Suffix. So it's impossible to add that subdomain.

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.