New certificate request after server reinstallation

Hi everyone.
A few days ago I formatted my raspberry to switch from Raspbian Buster 32bit to bullseye 64bit. I have 2 Problems and I wanted to ask for advice to solve them.
The first is that after re-installing with 64bit, I wanted to add a new domain ('m9quattro.ddns.net') to the previous ones. At the first certbot command I indicated all three domains, but for the 2 secondary ones (m9quattro.duckdns.org and m9quattro.ddns.net) it tells me that it cannot find a vhost with a ServerName or domain address. How can I solve? just add a file (for example m9quattro.ddns.net.conf) empty, do I have to write something inside or do I have to do something else?
Earlier, when adding the duckdns domain, here on the community, I was told to add a string to sites-enabled / default.conf. Again I tried to insert it but it tells me that the 'RewriteEngine' command is invalid.

Second thing, easier to understand, trying to add the certificates, I have exceeded the request number of the same. Since the first statuses were requested last Sunday, does this mean that I have to wait at least 3-4 days to make a new request, or all the 168 hours indicated?
I apologize for the length of the post.

My domain is: m9quattro.hopto.org ; m9quattro.ddns.net ; m9quattro.duckdns.org

I ran this command: 'sudo snap run certbot --apache'

It produced these outputs:

1°) "We were unable to find a ServerName or Address of m9quattro.duckdns.org m9quattro.ddns.net"

2°) "There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: m9quattro.hopto.org m9quattro.ddns.net"

My web server is : Apache/2.4.52

The operating system my web server runs on is : Raspberry Pi OS Bullseye 64bit

My hosting provider is: NoIP and Duckdns

I can login to a root shell on my machine : YES

I'm using a control panel to manage my site : NO

The version of my client is : SNAP 1.23.0

1 Like

Read the apache2 documentation about the ServerAlias directive:

https://httpd.apache.org/docs/2.4/mod/core.html#serveralias

You just need to add a line after the ServerName one, like

ServerName m9quattro.hopto.org
ServerAlias m9quattro.duckdns.org m9quattro.ddns.net
3 Likes

This is saying that you should use the staging endpoint (certbot --dry-run) when you're experimenting.

2 Likes

Thank you. After the days I will try again to request the new certificates. Using 'certbot --dry-run' gives no errors. Let's see if when I give the final command it will work.

2 Likes

You can run it right now. That limit only applies to the certificate for those two names exactly, it doesn't apply to a certificate for the third name alone, nor it applies to a certificate for all three names together.

3 Likes

Yesterday I tried to request them together, but for one of the two domains (hopto.org) it tells me that the certificate is not valid. I tried again today to request the certificate for the domain which was found to be invalid, but the old certificate linked to the second domain (duckdns.org) remained also for the first. In this case, I don't know if it is better to wait for the certificate to expire or to revoke it (if possible) ...

You have to ask them together. After you add that config in the apache virtualhost, you can just run certbot --apache --dry-run and check if it works.

Otherwise, try certbot --apache --dry-run -d m9quattro.ddns.net -d m9quattro.duckdns.org -d m9quattro.hopto.org

2 Likes

The config is ok. I tried testing with --dry -run first and it was successful (with all domains together). It still does not appear with the new certificate, but still with that of February 19th ... Maybe it takes some time before it results with the last one?



1 Like

You have a certificate for all three names but it's not the one your server is sending.

Configure your server to send this one (serial no 0392ca482727c817c0e5df3ce039c2867a3e). Run certbot certificates to discover where it's saved.

And stop issuing certificates randomly. You'll get ratelimited.

(also, you might want to check this: HowTo: Add a new trusted domain - 📑 How to - Nextcloud community)

4 Likes

Ok. I checked the various config files in sites-available and in one of these (000-default-le-ssl.conf), at the bottom, there was the reference to the other certificate. Everything is currently working correctly.
As regards the issue of the small number of certificates, I am aware of it. In fact, after those requested last week, in the past few days I had a bit of fear in requesting them. Excuse me, the previous ones were a bit of a waste, but from now on, even in the case of reconfiguring a new server, I understand how to move and avoid creating certificates unnecessarily.
Thank you @9peppe for your patience in answering me.

3 Likes

You don't have to fear issuing certs. You just have to avoid issuing duplicates. You won't get ratelimited for issuing a different(1) certificate, unless you're issuing 50 certificates on the same registered domain.

(1): different means different group of names, not keysize or algorithm.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.