Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I have a server which is running two URLs, will I need 2 ssl certs or will one cert cover the server for both URLs ?
Kind regards

My domain is:
abc.co.uk, donrossie.co.uk
I ran this command:

It produced this output:

My web server is (include version):
apache2
The operating system my web server runs on is (include version):
php 7.4
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

It's generally best to use one certificate per website. e.g. www.abc.co.uk and abc.doc.uk might be the names on one certificate.

It's possible to have one cert that covers multiple sites but you'd normally only do that because you really need to for some reason.

I agree with webprofusion but to put it in Apache terms ... I think it is best to have one cert for all the names defined in one VirtualHost. Those are the ServerName and any ServerAlias names.

You don't get certs for "URLs" by the way. You get them for domain names (also called hostnames)

I didn't know that I could have two different website domain names on the one certificate. As I said, I have two domain names connecting to one server using the same port number.

As background, when people request your website, even though it's all going to the same IP address and port the webserver knows to inspect the request and serve the correct website based on the domain name in the request.

This is easy for http but slightly trickier for https, and years ago before SNI (server name indication) you actually had to have a different IP address per website in order to have a different certificate binding for each website. Now most modern websites and browser use SNI to serve the correct certificate based on the requested name.

Regarding multiple names www.abc.co.uk and abc.co.uk are (despite appearances) different names and could serve completely different websites, it just convention that says they're the same thing, so most websites include at least these two variations in their certificate, otherwise if a user tries to use www and you don't include that they won't get a valid secure connection (because that names not on the certificate).

Hi webprofusion, thank you for your detailed explanation which helps me greatly in understanding certs. This raises another question for me, can I install 2 SSL certs on the same apache2 server, one for each of different domain names ?
Kind regards...

Yes you can. I'm not a regular Certbot or Apache user but you can tell certbot which specific domains to include in a particular certificate with the -d option User Guide — Certbot 2.9.0 documentation - worth just giving it a try.

As normal, nothing ever with linux goes to plan. I've installed a certificate following all instructions, enabled the certificate and rebooted the machine but when I go to connect to the server, it says this site cant provide a secure connection. Any ideas on what is wrong ??

Is the URL using?:

HTTPS://...

What shows?:

sudo apachectl -t -D DUMP_VHOSTS

I have a ssl cert for def.co.uk only

sudo apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 dfcr.co.uk (/etc/apache2/sites-enabled/reknab-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server donrossie.co.uk (/etc/apache2/sites-enabled/reknab-le-ssl.conf:17)
port 80 namevhost donrossie.co.uk (/etc/apache2/sites-enabled/reknab-le-ssl.conf:17)
alias www.donrossie.co.uk
port 80 namevhost donrossie.co.uk (/etc/apache2/sites-enabled/reknab.conf:1)
alias www.donrossie.co.uk
port 80 namevhost dfcr.co.uk (/etc/apache2/sites-enabled/reknab.conf:15)
alias www.dfcr.co.uk

That's a problem then because you only have a port 443 VirtualHost for abc.co.uk. And even that is missing a ServerAlias that you have for the www subdomain of that name in your port 80 VirtualHost

As for me, I would help more if you provide your actual domain names. Educating someone about Apache admin is too time-consuming with fake names.

I have now installed a second SSL cert for the donrossie.co.uk domain name but still cant get either of them to connect with HTTPS.

Connecting to HTTPS://dfcr.co.uk:1953 and HTTPS://donrossie.co.uk:1953 gives a cant provide a secure connection.
Connecting without the s (HTTP://) to dfcr.co.uk gives a 403 forbidden and connectioing to HTTP://donrossie.... actually accesses the website.

This is my sites-enabled/reknab.conf config:
<VirtualHost *:80>
ServerName donrossie.co.uk
ServerAlias www.donrossie.co.uk
ServerAdmin webmaster@localhost
DocumentRoot "/var/www/reknab"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =dfcr.co.uk [OR]
RewriteCond %{SERVER_NAME} =www.dfcr.co.uk [OR]
RewriteCond %{SERVER_NAME} =donrossie.co.uk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
ServerName dfcr.co.uk
ServerAlias www.dfcr.co.uk
ServerAdmin webmaster@localhost
DocumentRoot "/var/www/dfcr"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.dfcr.co.uk [OR]
RewriteCond %{SERVER_NAME} =dfcr.co.uk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

And this is my sites-enabled/reknab-le-ssl.conf:

<VirtualHost *:443>
ServerName dfcr.co.uk
ServerAlias www.dfcr.co.uk
ServerAdmin webmaster@localhost
DocumentRoot "/var/www/dfcr"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias donrossie.co.uk
SSLCertificateFile /etc/letsencrypt/live/donrossie.co.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/donrossie.co.uk/privkey.pem



<VirtualHost *:80>
ServerName donrossie.co.uk
ServerAlias www.donrossie.co.uk
ServerAdmin webmaster@localhost
DocumentRoot "/var/www/reknab"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Are there any errors that will fix this problem please.
Kind regards...

I'm seeing a tplink modem self signed certificate, that probably means that you're not forwarding port 443 through to your actual server so it's just your router that's responding.

Regarding ServerName and ServerAlias, you need to include all identifies of your site, so if a single site is known by 3 possible domains names they all need included as either the servername or an alias.

Each site then has it's own *.443 configuration section that says which servernames +aliases it responds to and which certificate file to use.

There is a lot to unpack here as they say

Let's focus just on donrossie domain

Your (first) port 80 VirtualHost for that ServerName is okay except it does not need the RewriteCond for the two dfcr domain names. This VHost won't ever see such requests. It is not harmful it is just not useful.

But you have another port 80 VirtualHost for that domain in your reknab-le-ssl.conf file. I am pretty use you want that to be port 443 instead. Further, you also then need these 3 lines to setup the SSL. These are from your dfcr port 443 VirtualHost

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/donrossie.co.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/donrossie.co.uk/privkey.pem

And, remove the ServerAlias for donrossie domain from the first port 443 VirtualHost with dfcr as the ServerName

Now, you showed using port 1953 for your HTTPS requests as:

Are you forwarding port 1953 to port 443 at your Apache local IP?

I assume you can't use port 443 as maybe your router is using it for its own purposes? If so, you might want to re-assign that to something else to allow use of port 443 and HTTPS in the normal way.

Once we get past these items there is the issue of your cert not having both domain names (the root and its www subdomain).

And, your other domain name has the wrong SSLCertificate file references but we will get to this later.

Hi webprofusion, with your help I am getting somewhere. I have changed all <VirtualHost *.80> to <VirtualHost *.443> and changed the port forward internal address to 443 from 80. donrossie.co.uk:1953 works with HTTPS but points to the DFCR domain (it should point to the apache2 server home page, not the DFCR domain name.

HTTPS://dfcr.co.uk:1953 works but strikes through the HTTPS and says X Not Secure in the address bar but it does point to the DFCR domain.

I should clarifiy that I have one IP address, two domain names and two seperate websites. each domain name only points to one website. I am trying to get an SSL cert for each domain name....

Hi MikeMcQ,
I have changed the port forwarding 1953 from 80 to 443

I think this is what you are saying:

reknab.conf:

<VirtualHost *:443>
    ServerName donrossie.co.uk
    ServerAlias www.donrossie.co.uk
    ServerAdmin webmaster@localhost
    DocumentRoot "/var/www/reknab"
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.donrossie.co.uk [OR]
RewriteCond %{SERVER_NAME} =donrossie.co.uk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
    ServerName dfcr.co.uk
    ServerAlias www.dfcr.co.uk
    ServerAdmin webmaster@localhost
    DocumentRoot "/var/www/dfcr"
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.dfcr.co.uk [OR]
RewriteCond %{SERVER_NAME} =dfcr.co.uk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

reknab-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName dfcr.co.uk
    ServerAlias www.dfcr.co.uk
    ServerAdmin webmaster@localhost
    DocumentRoot "/var/www/dfcr"
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/dfcr.co.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dfcr.co.uk/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName donrossie.co.uk
    ServerAlias www.donrossie.co.uk
    ServerAdmin webmaster@localhost
    DocumentRoot "/var/www/reknab"
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/donrossie.co.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/donrossie.co.uk/privkey.pem
</VirtualHost>
</IfModule>

close. in reknab.conf the ports should be 80

leave them 443 in reknab-le-ssl.conf

you should forward port 80 to 80 and 1953 to 443 (if you must)

Well, both the HTTPS://.... seems to work but when I try HTTP://donrossie.co.uk:1953 it doesnt redirect to the HTTPS://... but says bad request ??

If 1953 forwards to 443, then:
"HTTP://donrossie.co.uk:1953"
amounts to:
"HTTP://donrossie.co.uk:443"

Normally, you can't speak HTTP to an HTTPS listener.
By default, they are NOT bilingual:

• The HTTPS listener speaks only HTTPS
• The HTTP listener speaks only HTTP [it can be used to forward requests to HTTPS]

So, the HTTPS listener returns "bad request" because it doesn't hear an HTTPS request.
[all it hears is gibberish]

Well, it works after all that!!. I'd like to thank everyone for their help of which I really do appreciate.
Kind regards Don....