New certificate request after server reinstallation

m9quattro · February 17, 2022, 9:40pm

Hi everyone.
A few days ago I formatted my raspberry to switch from Raspbian Buster 32bit to bullseye 64bit. I have 2 Problems and I wanted to ask for advice to solve them.
The first is that after re-installing with 64bit, I wanted to add a new domain ('m9quattro.ddns.net') to the previous ones. At the first certbot command I indicated all three domains, but for the 2 secondary ones (m9quattro.duckdns.org and m9quattro.ddns.net) it tells me that it cannot find a vhost with a ServerName or domain address. How can I solve? just add a file (for example m9quattro.ddns.net.conf) empty, do I have to write something inside or do I have to do something else?
Earlier, when adding the duckdns domain, here on the community, I was told to add a string to sites-enabled / default.conf. Again I tried to insert it but it tells me that the 'RewriteEngine' command is invalid.

Second thing, easier to understand, trying to add the certificates, I have exceeded the request number of the same. Since the first statuses were requested last Sunday, does this mean that I have to wait at least 3-4 days to make a new request, or all the 168 hours indicated?
I apologize for the length of the post.

My domain is: m9quattro.hopto.org ; m9quattro.ddns.net ; m9quattro.duckdns.org

I ran this command: 'sudo snap run certbot --apache'

It produced these outputs:

1°) "We were unable to find a ServerName or Address of m9quattro.duckdns.org m9quattro.ddns.net"

2°) "There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: m9quattro.hopto.org m9quattro.ddns.net"

My web server is : Apache/2.4.52

The operating system my web server runs on is : Raspberry Pi OS Bullseye 64bit

My hosting provider is: NoIP and Duckdns

I can login to a root shell on my machine : YES

I'm using a control panel to manage my site : NO

The version of my client is : SNAP 1.23.0

9peppe · February 17, 2022, 10:33pm

Read the apache2 documentation about the ServerAlias directive:

https://httpd.apache.org/docs/2.4/mod/core.html#serveralias

You just need to add a line after the ServerName one, like

ServerName m9quattro.hopto.org
ServerAlias m9quattro.duckdns.org m9quattro.ddns.net

9peppe · February 17, 2022, 10:36pm

This is saying that you should use the staging endpoint (certbot --dry-run) when you're experimenting.

m9quattro · February 19, 2022, 12:19pm

Thank you. After the days I will try again to request the new certificates. Using 'certbot --dry-run' gives no errors. Let's see if when I give the final command it will work.

9peppe · February 19, 2022, 2:07pm

You can run it right now. That limit only applies to the certificate for those two names exactly, it doesn't apply to a certificate for the third name alone, nor it applies to a certificate for all three names together.

m9quattro · February 20, 2022, 12:14pm

Yesterday I tried to request them together, but for one of the two domains (hopto.org) it tells me that the certificate is not valid. I tried again today to request the certificate for the domain which was found to be invalid, but the old certificate linked to the second domain (duckdns.org) remained also for the first. In this case, I don't know if it is better to wait for the certificate to expire or to revoke it (if possible) ...

9peppe · February 20, 2022, 12:21pm

You have to ask them together. After you add that config in the apache virtualhost, you can just run certbot --apache --dry-run and check if it works.

Otherwise, try certbot --apache --dry-run -d m9quattro.ddns.net -d m9quattro.duckdns.org -d m9quattro.hopto.org

m9quattro · February 20, 2022, 1:07pm

The config is ok. I tried testing with --dry -run first and it was successful (with all domains together). It still does not appear with the new certificate, but still with that of February 19th ... Maybe it takes some time before it results with the last one?

9peppe · February 20, 2022, 1:21pm

You have a certificate for all three names but it's not the one your server is sending.

Configure your server to send this one (serial no 0392ca482727c817c0e5df3ce039c2867a3e). Run certbot certificates to discover where it's saved.

And stop issuing certificates randomly. You'll get ratelimited.

(also, you might want to check this: HowTo: Add a new trusted domain - 📑 How to - Nextcloud community)

m9quattro · February 20, 2022, 1:52pm

Ok. I checked the various config files in sites-available and in one of these (000-default-le-ssl.conf), at the bottom, there was the reference to the other certificate. Everything is currently working correctly.
As regards the issue of the small number of certificates, I am aware of it. In fact, after those requested last week, in the past few days I had a bit of fear in requesting them. Excuse me, the previous ones were a bit of a waste, but from now on, even in the case of reconfiguring a new server, I understand how to move and avoid creating certificates unnecessarily.
Thank you @9peppe for your patience in answering me.

9peppe · February 20, 2022, 1:56pm

You don't have to fear issuing certs. You just have to avoid issuing duplicates. You won't get ratelimited for issuing a different⁽¹⁾ certificate, unless you're issuing 50 certificates on the same registered domain.

(1): different means different group of names, not keysize or algorithm.

system · March 22, 2022, 1:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.