No Certificate for www

Hello,
i ´ve a problem with the www. Subdomain. Without www is the Domain reachable, but with www i get an error.

My domain is:

I ran this command:
certbot certonly --standalone -d www.mitmachtagkreislaufwirtschaft.de -d mitmachtagkreislaufwirtschaft,de
It produced this output:

Domain error: The www subdomain exists, but we couldn't connect to it using HTTPS ("x509: certificate is valid for mitmachtagkreislaufwirtschaft.de, not www.mitmachtagkreislaufwirtschaft.de"). Since many people type this by habit, HSTS preloading would likely cause issues for your site.

My web server is (include version):
Apache/2.4.41 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.40.0

I hope you can help me. sorry for my bad english :frowning:

1 Like

Welcome to the Let's Encrypt Community! :slightly_smiling_face:

The current problem is that your Apache 2.4.41 webserver is serving this certificate, which only covers mitmachtagkreislaufwirtschaft.de, for both mitmachtagkreislaufwirtschaft.de and www.mitmachtagkreislaufwirtschaft.de. From the list of certificates you've acquired, I believe that you may have conflicting VirtualHost blocks in your Apache configuration.

For www.mitmachtagkreislaufwirtschaft.de:

For mitmachtagkreislaufwirtschaft.de:

5 Likes

OK, can I reset All the setting and create New certificates? And how can I do that.

Thanks for your help. I used the bot because I hoped it would be very easy. And now I don't really know what to do. I also need the www, can I fix it somehow? Or can someone help me?

1 Like

You got a cert with both names in it (see here). Your Apache server is just not sending it out.

Was there a reason you chose the standalone method with certbot? Because that requires stopping your Apache server to get/renew the certs. And, it means you must configure Apache yourself.

4 Likes

I used a guide that sounded simple. Can I undo this?

Yes. Do you want certbot to configure your HTTPS VirtualHost or do you prefer to do that yourself?

4 Likes

Since I am very insecure at the moment, I would like to take an easy path. It annoys me that I don't wsr properly, but I want to do it right now.

Let's start by looking at your Apache config. I see your HTTPS site is configured and gets a good score (A+) at SSL Labs. Yes, some of your redirects are wrong and the wrong cert is being sent. But, there is some good config to work with.

So, let's look at your Apache config to see if using the plug-in or maybe webroot is best.

What does this show?

apachectl -t -D DUMP_VHOSTS
4 Likes

This is what i get:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 mitmachtagkreislaufwirtschaft.de (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 mitmachtagkreislaufwirtschaft.de (/etc/apache2/sites-enabled/000-default.conf:4)

Can you show the contents of this file? Please put 3 backticks before and after the output like:
```
contents of conf file
```

4 Likes

Here is the content:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost

        ServerName mitmachtagkreislaufwirtschaft.de
           
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =mitmachtagkreislaufwirtschaft.de
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

SSLCertificateFile /etc/letsencrypt/live/mitmachtagkreislaufwirtschaft.de-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mitmachtagkreislaufwirtschaft.de-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

What shows?:
certbot certificates

4 Likes

Certbot certificates shows:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: mitmachtagkreislaufwirtschaft.de-0001
    Domains: mitmachtagkreislaufwirtschaft.de
    Expiry Date: 2022-12-05 09:19:34+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/mitmachtagkreislaufwirtschaft.de-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mitmachtagkreislaufwirtschaft.de-0001/privkey.pem
  Certificate Name: mitmachtagkreislaufwirtschaft.de
    Domains: mitmachtagkreislaufwirtschaft.de www.mitmachtagkreislaufwirtschaft.de
    Expiry Date: 2022-12-14 09:17:06+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/mitmachtagkreislaufwirtschaft.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mitmachtagkreislaufwirtschaft.de/privkey.pem
  Certificate Name: www.mitmachtagkreislaufwirtschaft.de
    Domains: www.mitmachtagkreislaufwirtschaft.de
    Expiry Date: 2022-12-08 10:16:42+00:00 (VALID: 82 days)
    Certificate Path: /etc/letsencrypt/live/www.mitmachtagkreislaufwirtschaft.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.mitmachtagkreislaufwirtschaft.de/privkey.pem

Ok, so there are three certs

One with the base name [only]:

Certificate Name: mitmachtagkreislaufwirtschaft.de-0001
Domains:          mitmachtagkreislaufwirtschaft.de

One with the "www" name [only]:

Certificate Name: www.mitmachtagkreislaufwirtschaft.de
Domains:          www.mitmachtagkreislaufwirtschaft.de

One with both names:

Certificate Name: mitmachtagkreislaufwirtschaft.de
Domains:          mitmachtagkreislaufwirtschaft.de 
              www.mitmachtagkreislaufwirtschaft.de

Only one is needed - the cert with both names on it.

3 Likes

Edit this file:
/etc/apache2/sites-enabled/000-default-le-ssl.conf
Remove both of the -0001 from the cert paths.

and add:
ServerAlias www.mitmachtagkreislaufwirtschaft.de

then you can restart Aapche and delete the unwanted certs:
certbot delete --cert-name mitmachtagkreislaufwirtschaft.de-0001
certbot delete --cert-name www.mitmachtagkreislaufwirtschaft.de

5 Likes

After doing what rg305 just showed, you should also check your port 80 VirtualHost and make sure it has the same ServerName and ServerAlias statements that are in your port 443 VirtualHost

4 Likes

When there is only one vhost for any specific port, that one will be the default.
In such cases, even if misconfigured, one might end up with the desired results [albeit accidentally].

Note: Unless edited, there was only one vhost shown for port 80 and also only one for port 443 in the DUMP_HOSTS output.

4 Likes

Yes, totally agree about how default VHosts work. I just thought it would be clearer since you were suggesting adding a ServerAlias to the port 443 VHost that the names in the port 80 VHost should match. Not necessarily for a technical reason. But, might help avoid confusion given the problems seen due to inconsistent names.

4 Likes

I'm totally agreed that things should be as they should be - not just working by accident.

Everything worked for the first site
Then things failed when I added the second site [done exactly as the first site]
If both were done wrong, those two wrongs will never lead to a right.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.