Multiple domains re-directed to primary domain - 1 cert for all?


#1

Hi,

I have setup a single Digital Ocean droplet for the purpose of running Wordpress for a site I am running called ‘wealth-hack’. I have setup my primary domain using LetsEncrypt so that https://wealth-hack.com and https://www.wealth-hack.com both work well and work as ‘secure’ for both Chrome and Safari.

I have some other domains (wealth-hack.us, wealth-hack.co) that re-direct to my primary domain (wealth-hack.com) using cname aliases. When my primary domain was http, this all worked well. However now, when you browse to http://wealth-hack.co, it comes up with a ‘your connection is not secure’ message and auto-direct doesn’t function.

The question I have is can I rerun letsencrypt and add -d wealth-hack.co -d wealth-hack.us to the arguments I presented the first time to have 1 cert work across all domains? Would this also require me adding more server aliases in 000-defult.conf or do I need to create new certs/new confs per domain?

Thanks in advance for your help, loving LetsEncrypt, hope I can get this more complicated part over the line and get back to content:)

Kind Regards
James

Please fill out the fields below so we can help you better.

My domain is: https://wealth-hack.com

I ran this command:

It produced this output:

My operating system is (include version): Ubuntu 16.04.1

My web server is (include version): Apache/2.4.18 (Ubuntu)

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

The question I have in return is: how are the “extra” hostnames currently configured? If they all point to the same IP (of your DO Droplet) and you’re running the Let’s Encrypt client with the apache plugin (sadly you didn’t answer the “I ran this command” question in the questionnaire), you should be fine with just adding the extra domains to your previous command. Tip: also use the --expand option, so the certificate will end up in the same location as your current one.


#3

Hi Osiris,

Apols for the uncomplete info, I installed LetsEncrypt based on the following guide: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04?comment=56365

Prior to running, I used the associated guide [https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04] to pre-setup my 000-defult.conf to include server name, alias and relevant email address. I already had WP up and running so didn’t need to create a virtual hosts file from scratch.

In terms of running LetsEncrypt, I ran it with sudo letsencrypt --apache -d wealth-hack.com -d www.wealth-hack.com. This part worked really well, getting all my pages/references across to https took me much longer:)

The only config for the extra domains were networking aliases, I’ve not explicitly configured any files in WP or within Apache/Ubuntu, a straight networking re-divert only. Just to check before I update anything, assuming my response here has not changed anything, looks like I should do sudo letsencrypt --apache --expand -d wealth-hack.com -d www.wealth-hack.com -d wealth-hack.co -d www.wealth-hack.co -d wealth-hack.us -d www.wealth-hack.us? Should I update 000-defult.conf to add the additional domains as server aliases also?

Again, apols for the non complete first query, I really appreciate your advice.


#4

Should work like a charm.

Not sure. You said you added the extra domains as “networking aliases”? Could you explain what you mean by that, because I don’t have a clue :stuck_out_tongue: Perhaps I can learn something :smile: It apparently is something different than a ServerAlias? But how can those extra domains work if they aren’t set up in Apache somewhere?


#5

Ha, given the quality of your responses, you won’t learn from me Osiris, trust me;)

I am struggling to wrap my head around what was required for my multi-domain situation even before mixing https into the equation. Prior to learning more about Lets Encrypt, I got my primary domain up and running (wealth-hack.com) serving content via Wordpress. For the secondary domains, I literally configured nothing in Wordpress or Ubunto, all I did was set them up within my Digital Ocean ‘domain networking’ section and applied ‘cname’ network aliases. Thereafter, when you hit ‘www.wealth-hack.co’ you got seamlessly redirected to wealth-hack.com. It surprised me I got that working with ‘networking’ config only.

My droplet was backed up last night, going to give it a bash and see what happens, I’ll let you know what the outcome is, positive or meltdown;)

Again, appreciate your continued support…


#6

It’s a CNAME indeed. If you only have one <VirtualHost> section in your Apache, Apache will serve that site, even if the hostname requested doesn’t match. For example, I requested the site example.com (through the -servername switch in the OpenSSL command below):

osiris@desktop ~ $ echo "" | openssl s_client -connect www.wealth-hack.co:443 -servername example.com 2>/dev/null | openssl x509 -noout -text | grep -A 1 "Subject Alternative Name"
            X509v3 Subject Alternative Name: 
                DNS:wealth-hack.com, DNS:www.wealth-hack.com
osiris@desktop ~ $ 

Your webserver doesn’t care what’s requested, it just serves wealth-hack.com :slight_smile:

Hopefully, certbot doesn’t care if the requested hostnames aren’t present in Apaches configuration files. It shouldn’t matter for the authentication and issuing of the certificate, but it could be a problem for the installing of the cert. But perhaps it doesn’t care either :stuck_out_tongue:


#7

Osiris rocks! I think I am good now, no DR recovery required;)

I ran the command as referred to above, the LetsEncrypt utility didn’t like the fact my 000-default-conf file didn’t have (new to it) server names and asked me to select a virtual host file. I selected the 000 default on multiple occasions but at the end LetsEncrypt gave me an error [_The selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration] followed by a success [Congratulations! Your certificate and chain have been saved at (I’ve removed the full path). Your cert will expire on 2017-05-31. To obtain a new version of the certificate in the future, simply run Let’s Encrypt again].

When i tried a secondary URL, it still came up insecure so went to plan 2, update the conf file and re-submit. I updated 000-default-conf to add in the aliases and was about to re-submit but decided to reboot just incase. Following re-boot, all re-directed are working and when I put a secondary domain name into https://www.sslshopper.com/ssl-checker.html#hostname=www.wealth-hacker.com, it comes up as secure:) As things stand, all redirects are working nicely!

Again, really appreciate your help Osiris, learning in the OpenSource/Linux’y world can be daunting, people like you make it less so:)


#8

Glad to be of help :slight_smile:


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.