One certificate for two domains

I have an apex domain which is serving the same traffic as a domain prefixed with www. for that apex domain. However, the apex domain reports:

mydomain.org uses an invalid security certificate. The certificate is only valid for      
www.mydomain.org Error code: SSL_ERROR_BAD_CERT_DOMAIN 

I’ve tried issuing
certbot-auto certonly --cert-name mydomain.org -d mydomain.org,www.mydomain.org

but it’s still producing the error (I’ve tried clearing my browser cache with no luck).
Any tips/fix?

Please specify the actual domain names.

http://logontocarelearningcentre.org.uk

According to the certificate transparency logs you have issued a certificate for both names:

https://crt.sh/?id=268077571

Did you restart your webserver software (Apache)?
What is the output of the command certbot-auto certificates?

1 Like

Ah - haven’t restarted will try that - thanks. I wasn’t aware fo the transparency logs tool - will have to use that again.

Using “certonly” just gets a cert.
You may need to finish the process manually (and actually use it).

@rg305 - thanks - how would I finish the process manually and then use it? I’ve only used the command certbot-auto.

You said:

What did you originally use to get the cert installed and in use?

certbot from the command line.

just “certbot” ?
did it prompt you with questions?

Sure - it asked about which web server is used and then maybe another question or so - it was some time ago.

tgm@TGMW-WEB00:~$ sudo certbot-auto --version
certbot 0.19.0

Certificate Name: www.logontocarelearningcentre.org.uk
Domains: www.logontocarelearningcentre.org.uk
Expiry Date: 2018-01-07 01:45:39+00:00 (VALID: 36 days)
Certificate Path: /etc/letsencrypt/live/www.logontocarelearningcentre.org.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.logontocarelearningcentre.org.uk/privkey.pem

I’ve redacted the other certificates from the certificates list as they are working fine.

Try:
certbot-auto --expand -d www.logontocarelearningcentre.org.uk,logontocarelearningcentre.org.uk

I must have missed his post: as @bytecamp stated, there seems to be an issued cert with both names on it: https://crt.sh/?id=268077571

Try restarting your web server.
and to confirm show:
/etc/letsencrypt/live/www.logontocarelearningcentre.org.uk/fullchain.pem
If it starts with the cert below, it is the old cert and you will need to undo the

and show the other certs and maybe even the vhost configs to find the conflict.

-----BEGIN CERTIFICATE-----
MIIFKzCCBBOgAwIBAgISAy7AUqpJu3xr0964U5LA0OaFMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzEwMDkwMTQ1MzlaFw0x
ODAxMDcwMTQ1MzlaMC8xLTArBgNVBAMTJHd3dy5sb2dvbnRvY2FyZWxlYXJuaW5n
Y2VudHJlLm9yZy51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSC
H1E62dE8AKbYcltBkB3jlDmAmLbpXeLd39Ol3ZeC3kkTxTAX2G5yEMoD4jnmpfI0
I6ZL6PUoUdmvfVZcl+B0a4vsMqh/pv114R4IwoJsS89EFV1aqDhhpi2ghxYmtY39
tWbZw+l58FoB0Hyv9q8UDVNtiN/qXmiiZ7Ffg3uM4eaGZj3Dvm1Lm5nWj7yqXQzB
0m+MS1DIMoqHyvwDqpGeL10qWeRcG54qtNlWf6HeFyxkAVJ7S+WEbhqMU40UbhgR
jgcxwRLoCW0app4EL/Ervip2jq6yYeN3v6DYGr4WWz7wepm28zxE1hjKO5ZjIfM5
EYXJbzP4AVfR329mDDkCAwEAAaOCAiQwggIgMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUvTVbdb70CFKhIXJ6w1aNv5T6Vg8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3
pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2Nz
cC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2Vy
dC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAvBgNVHREEKDAmgiR3d3cubG9nb250
b2NhcmVsZWFybmluZ2NlbnRyZS5vcmcudWswgf4GA1UdIASB9jCB8zAIBgZngQwB
AgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl
dHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRl
IG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQg
b25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBm
b3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkq
hkiG9w0BAQsFAAOCAQEAD38y5p0gpfofBvq7APkYR8RbT6osQpyYQ55MT4MaOO9v
EEp3NTzprKgnpWafJTmYIpGq866RNlXci/z5bjV3kvwKpQzglPrUmcBMrfQw0x9b
/p+oU3rh/Ql2JnUldgAqNmJiWGKG1EltvcNmwmDOoBck08Hi8sr39HRSPdnwah7L
F/eHwWEJ7/Pwk5myYJAcOZfEnDfYxviUJ0Ern1zbmwyXs3EDCHbYmSuJljad0zl9
aJkx/8FAuoaaGPeLSB9S7mC77bW3u8yLN9qfwHoftrGktB3kk8EmarJCV5VXOYXA
Qr4Sf0YYAIhE1P8ZeX8kZRLeuWrOMuDqjAefSH7CYg==
-----END CERTIFICATE-----

Thankts @rg305 and @bytecamp - I will restart the server and see the result. However, I can’t do that right now as it is a production server. I will post back the result.

You only need restart the web service
not the entire server

Sure, but people are using apache right now and I don’t want them to experience any interruption. Unless you can reload it gracefully like nginx?

look into:
apachectl graceful

and… to confirm (BEFORE YOU RESTART ANYTHING) show the PUBLIC CERTS:
/etc/letsencrypt/live/www.logontocarelearningcentre.org.uk/fullchain.pem

If you still need help, maybe someone else can pickup where we left off - I’m off light a light switch…

Thanks for your help. The certificate is different from the one above. Where might a conflict arise? Should I look at all the other certificates?

I’ve restarted apache and still have the same result.

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

I can’t paste the whole certificates in here as I’m only allowed 20 links - but I’ve posted it at https://pastebin.com/AryB2cti

This is what should now be in use:

But it isn’t :frowning:

Start by looking at what is actually used in your vhost file(s) that covers both of those domain names.

Thanks @rg305 - I have this in the vhosts ssl file (lotc-moodle-le-ssl.conf)

SSLCertificateFile /etc/letsencrypt/live/www.logontocarelearningcentre.org.uk/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.logontocarelearningcentre.org.uk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/www.logontocarelearningcentre.org.uk/chain.pem

Do I need to change the part where it references chain.pem to fullchain.pem?

Also the ServerAlias is set to *.logontocarelearning.org.uk - is that acceptable in this case?

You should change the bit where it references www.logontocarelearningcentre.org.uk to logontocarelearningcentre.org.uk, since that’s the name of the certificate that contains both domain names.

You don’t need to, but since you’re using Apache 2.4, you can if you want to. If you do, you should also remove the whole SSLCertificateChainFile line.

The wildcard should be fine, but is centre missing from the name?