Multiple domains that share an IP address - How to

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: observastore.com & casazza.net, plus several others

I ran this command: I have tried several the last attempt (which I did not expect to work) was:
certbot certonly --webroot -d observastore.com -d www.observastore.com -d casazza.net -d www.casazza.net

I then edited the SSL site definition file for https://casazza.net to include:
SSLCertificateFile /etc/letsencrypt/live/observastore.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/observastore.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/observastore.com/chain.pem

It produced this output:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/observastore.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/observastore.com/privkey.pem
Your cert will expire on 2019-09-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=casazza.net
Result: Certificate name mismatch

My web server is (include version): Apache 2.4.6.89

The operating system my web server runs on is (include version): centos 7.6

My hosting provider, if applicable, is: 1&1.com aka ionos.com

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.34.2

So far I have figured out why the --apache and default challenge does not work. I have two choices. 1.) use --webroot 2). move the webroot folder aside and place an empty one with a single index.html while the script runs

My latest attempt seemed wrong, but no matter what I do I get the error “Certificate name mismatch” on casazza.net (I setup observastore.com first). Previously, I did the webroot folder switch and used the --apache command line on casazza.net which completed successfully and also ended up with “Certificate name mismatch”

In the end I have 6 totally different domains sharing a single IP address and I want to set up https for each one of them. What is the secret to accomplish this?

Hi @markcasazza

why do you create one certificate with different domain names?

You have created some certificates ( https://check-your-website.server-daten.de/?q=casazza.net#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-06-30 2019-09-28 casazza.net, observastore.com, www.casazza.net, www.observastore.com - 4 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-06-29 2019-09-27 casazza.net, www.casazza.net - 2 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-06-25 2019-09-23 casazza.net - 1 entries duplicate nr. 1

But you don't use it, instead, there is a self signed certificate:

E=root@www.casazza.net, CN=www.casazza.net, 
OU=SomeOrganizationalUnit, 
O=SomeOrganization, L=SomeCity, S=SomeState, C=--
	23.06.2019
	22.06.2020
expires in 358 days

So if this

doesn't work, your vHost configuration is buggy, more then one combination of port and domain name.

What says

apachectl -S

Why not? It’s a perfectly valid configuration. But, of course, the Apache configuration needs to account for it.

VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.casazza.net (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.casazza.net (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.casazza.net (/etc/httpd/MySites/casazza.net-le-ssl.conf:2)
alias casazza.net
port 443 namevhost www.observastore.com (/etc/httpd/MySites/observastore.com-le-ssl.conf:2)
alias observastore.com
: is a NameVirtualHost
default server www.casazza.net (/etc/httpd/MySites/000-default:1)
port * namevhost www.casazza.net (/etc/httpd/MySites/000-default:1)
port * namevhost www.casazza.net (/etc/httpd/MySites/casazza.net:2)
alias casazza.net
port * namevhost www.clearskyalarmclock.com (/etc/httpd/MySites/clearskyalarmclock.com:2)
alias clearskyalarmclock.com
port * namevhost www.ghaas.org (/etc/httpd/MySites/ghaas.org:2)
alias ghaas.org
port * namevhost www.observastore.com (/etc/httpd/MySites/observastore.com:1)
alias observastore.com
port * namevhost www.stillwaterstargazers.com (/etc/httpd/MySites/stillwaterstargazers.com:2)
alias stillwaterstargazers.com
port * namevhost www.tonightssky.com (/etc/httpd/MySites/tonightssky.com:2)
alias tonightssky.com
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

I prefer to have a cert per domain, but I’m okay with having one cert for every domain on the IP address. In the end I’ll follow the best practice.

My issue is I haven’t managed to figure out how to set up apache either way. I always end up with “Certificate name mismatch” for the second domain. Is there a reference document that covers this topic? I’m happy to read it through and follow the instructions.

Thanks the the quick replies.

That's

a big mess.

Every combination of port and domain name should be unique.

--> give your default server another name, remove the entry in 000-default:1, so you have only the file

/etc/httpd/MySites/casazza.net

Same with your other domains and your port 443.

Yes, if the configuration is clean.

But you see the output of apachectl -S. There is nothing clean.

Then it's easier to have one file + one vHost per main domain (with the www as alias).

I added the casazza.net file when I started this process because certbot could not find the casazza.net domain. I configured apache many years ago and, to be honest, never changed it. Per your recommendation I removed 000-default. The output is now:

===============================
VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.casazza.net (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.casazza.net (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.casazza.net (/etc/httpd/MySites/casazza.net-le-ssl.conf:2)
alias casazza.net
port 443 namevhost www.observastore.com (/etc/httpd/MySites/observastore.com-le-ssl.conf:2)
alias observastore.com
: is a NameVirtualHost
default server www.casazza.net (/etc/httpd/MySites/casazza.net:2)
port * namevhost www.casazza.net (/etc/httpd/MySites/casazza.net:2)
alias casazza.net
port * namevhost www.clearskyalarmclock.com (/etc/httpd/MySites/clearskyalarmclock.com:2)
alias clearskyalarmclock.com
port * namevhost www.ghaas.org (/etc/httpd/MySites/ghaas.org:2)
alias ghaas.org
port * namevhost www.observastore.com (/etc/httpd/MySites/observastore.com:1)
alias observastore.com
port * namevhost www.stillwaterstargazers.com (/etc/httpd/MySites/stillwaterstargazers.com:2)
alias stillwaterstargazers.com
port * namevhost www.tonightssky.com (/etc/httpd/MySites/tonightssky.com:2)
alias tonightssky.com
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

I’m, not sure what you mean by “Every combination of port and domain name should be unique.” Sorry, my background is programming and the network administration stuff is not my strong area. By “port” are you talking the number after the :? How do I force them to be unique. I see nothing im my files to set them. a sample file is below:

<VirtualHost *>
ServerName www.observastore.com
ServerAlias observastore.com
ServerAdmin webmaster@localhost
DocumentRoot /home/www/observastore.com
<Directory /home/www/observastore.com>
AllowOverride All
Require all granted

ErrorLog /var/log/httpd/error.log

    LogLevel warn

    CustomLog /var/log/httpd/access.log combined
    ServerSignature On
    <Location />
    # Insert filter
            SetOutputFilter DEFLATE

            # Netscape 4.x has some problems...
            BrowserMatch ^Mozilla/4 gzip-only-text/html

            # Netscape 4.06-4.08 have some more problems
            BrowserMatch ^Mozilla/4\.0[678] no-gzip

            # MSIE masquerades as Netscape, but it is fine
            # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

            # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
            # the above regex won't work. You can use the following
            # workaround to get the desired effect:
            BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

            # Don't compress images
            SetEnvIfNoCase Request_URI \
            \.(?:gif|jpe?g|png)$ no-gzip dont-vary

            # Make sure proxies don't deliver the wrong content
            Header append Vary User-Agent env=!dont-vary
    </Location>

RewriteEngine on
RewriteCond %{SERVER_NAME} =observastore.com [OR]
RewriteCond %{SERVER_NAME} =www.observastore.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

============================================
I’m still unsure how to move forward. If cleaning these file up I’ll do it. I’m sorry that I need a bit more hand holding than the average person.

These are duplicated entries too.

I hope you know the meaning of "port" - tcp port.

You have more then one entry port + domain. It's like you have two mailboxes with the identical name. So where would you place a letter with a request? Mailbox one? Mailbox two? If both have different configurations, you don't know which configuration is used -> the wrong configuration with the wrong certificate.

Yes, I understand the TCP ports and http is on 80 and https on 443.

Looking at /etc/httpd/conf.d/ssl.conf the only VirtualHost section opens with:

is this a problem? The whole file without comments is:
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ “.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars

BrowserMatch “MSIE [2-5]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”

I’m pretty sure this is the default file and I never touched it.

I also noticed that I did not have port 80 specified in my domain config files. They now do and look like:
<VirtualHost *:80>
ServerName www.casazza.net
ServerAlias casazza.net

After thinking this over I backed up ssl.conf and removed the VirtualHost section. Things still seem to be working and I think I eliminated the duplications. New apachectl -S output:

VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.casazza.net (/etc/httpd/MySites/casazza.net-le-ssl.conf:2)
port 443 namevhost www.casazza.net (/etc/httpd/MySites/casazza.net-le-ssl.conf:2)
alias casazza.net
port 443 namevhost www.observastore.com (/etc/httpd/MySites/observastore.com-le-ssl.conf:2)
alias observastore.com
*:80 is a NameVirtualHost
default server www.casazza.net (/etc/httpd/MySites/casazza.net:2)
port 80 namevhost www.casazza.net (/etc/httpd/MySites/casazza.net:2)
alias casazza.net
port 80 namevhost www.clearskyalarmclock.com (/etc/httpd/MySites/clearskyalarmclock.com:2)
alias clearskyalarmclock.com
port 80 namevhost www.ghaas.org (/etc/httpd/MySites/ghaas.org:2)
alias ghaas.org
port 80 namevhost www.observastore.com (/etc/httpd/MySites/observastore.com:1)
alias observastore.com
port 80 namevhost www.stillwaterstargazers.com (/etc/httpd/MySites/stillwaterstargazers.com:2)
alias stillwaterstargazers.com
port 80 namevhost www.tonightssky.com (/etc/httpd/MySites/tonightssky.com:2)
alias tonightssky.com
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

This seems to have fixed things as far as ssllabs is concerned. I am also now able to generate a cert per domain.

Thanks for the patience and pointing me in the right direction.

2 Likes

Yep, now it looks clean enough.

Happy to read that it had worked :+1:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.