Problem with www

zed17 · August 27, 2019, 10:23am

Hello,

I have a domain (https://domain.com) with a www subdomain (https://www.domain.com).
I mainly use “domain.com” but for SEO reasons I would like to have no problem with www.domain.com.

To renew certificates I use the command
certbot-auto renew

It returns to me for the www domain and subdomain
Cert not yet due for renewal

Problem when I go to https://www.domain.com the browser puts a security alert and says the connection is not encrypted.

So I tried this command instead
certbot-auto --force-renewa

There I have the choice between the two domains to renew

If I choose the 2 the www works, but the 1 puts me an error message.
If I choose the 1 it is the 2 that puts me the error message.

Can you help me ?

Thank you

mnordhoff · August 27, 2019, 10:25am

What’s your real domain?

What does certbot-auto certificates show?

zed17 · August 27, 2019, 10:33am

Found the following certs:
Certificate Name: astuto.fr
Domains: astuto.fr
Expiry Date: 2019-11-25 09:05:35+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/astuto.fr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/astuto.fr/privkey.pem
Certificate Name: www.astuto.fr-0001
Domains: www.astuto.fr
Expiry Date: 2019-11-25 09:05:02+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.astuto.fr-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.astuto.fr-0001/privkey.pem
Certificate Name: www.astuto.fr
Domains: astuto.fr www.astuto.fr
Expiry Date: 2019-11-16 17:22:23+00:00 (VALID: 81 days)
Certificate Path: /etc/letsencrypt/live/www.astuto.fr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.astuto.fr/privkey.pem

mnordhoff · August 27, 2019, 10:46am

You have three certificates, but https://astuto.fr/ and https://www.astuto.fr/ both use this one:

Check the Apache configuration and change it to use the www.astuto.fr certificate.

You can also delete the other two, if you're not using them for other tihngs.

zed17 · August 27, 2019, 11:35am

Thank you !

I try to delete the two certificates but I have the same problem.

For apache configuration, i do not know where i could do that.
In /etc/apache2/sites-available/asuto-le-ssl.conf the ssl certificates are quoted, but it is the only file and I do not see what modification to make therefore.

ServerName astuto.fr ServerAlias www.astuto.fr

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/astuto.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/astuto.fr/privkey.pem

mnordhoff · August 27, 2019, 11:40am

Change "astuto.fr" to "www.astuto.fr" in those two directives, and any other identical SSLCertificateFile or SSLCertificateKeyFile directives.

zed17 · August 27, 2019, 11:51am

After this change, without doing anything more it doesn’t work.
If I renew the www

Which names would you like to activate HTTPS for?

1: astuto.fr
2: www.astuto.fr

It work but astuto.fr without www doesn’t work.
Of course I want both to work.

mnordhoff · August 27, 2019, 11:55am

You don’t need to issue or renew any certificates. You already have some.

If you keep issuing certificates, all it will do is waste resources, and soon hit the duplicate certificate rate limit.

All you have to do is edit the Apache configuration.

Can you post the output of “certbot-auto certificates” again?

zed17 · August 27, 2019, 12:10pm

I understand that what you are advising me to do, is only to change the configuration of Apache, but if I do it it does not work.

The real question is why the same certificate can not work with and without the www?
I guess elsewhere it works but not to my configuration.

My priority is that astuto.fr works (without www) so I have one last time renewed the certificate. I saw that it changed the file /etc/apache2/sites-available/asuto-le-ssl.conf to remove the www in those two directives letsencrypt/
So simply putting the www is not the solution.

I will try another solution for today but all ideas will be welcome.

mnordhoff · August 27, 2019, 12:31pm

How have you changed it, and how is it failing?

If you can get Apache to use the certificate that includes both names, it will work.

What command did you run? Please don't run it again, just say what it was.

If you run Certbot and tell it to reinstall one of the existing certificates without issuing a new one, it can try to configure Apache to use that certificate. (But depending on your Apache configuration, it might not update all the right virtual hosts.)

But you can also modify the Apache configuration by hand to make the same changes.

Can you post the output of “certbot-auto certificates” again?

Right now, https://astuto.fr/ is using a certificate for astuto.fr that was issued about half an hour ago.

https://www.astuto.fr/ now has a different IP address pointing to a different computer, using some certificate for cluster006.hosting.ovh.net.

astuto.fr.      1304  A  51.38.48.80
www.astuto.fr.  1307  A  213.186.33.17

zed17 · August 27, 2019, 1:29pm

As I can not generate the www certificate I use a backup solution through an all in one web hoster for the www.

All command run but it doesn't work.

I have 2 certificates again because with /etc/letsencrypt/live/www.astuto.fr/privkey.pem "astuto.fr" doesn't work.

/bin/certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: astuto.fr
Domains: astuto.fr
Expiry Date: 2019-11-25 11:02:40+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/astuto.fr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/astuto.fr/privkey.pem
Certificate Name: www.astuto.fr
Domains: www.astuto.fr
Expiry Date: 2019-11-25 10:45:13+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.astuto.fr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.astuto.fr/privkey.pem

mnordhoff · August 27, 2019, 1:35pm

Which commands? In what way did they fail to work?

Earlier, you had a certificate that included both hostnames.

Now it's been replaced by one that only has www.astuto.fr...

You could create two Apache virtual hosts, one using the asuto.fr certificate and one using the www.astuto.fr certificate.

Or you could issue another certificate for both hostnames -- or recover the one you had before -- and have Apache use that.

mnordhoff · August 27, 2019, 1:42pm

By the way…

Your server is running Debian, right?

And could you also post the output of “sudo apachectl -t -D DUMP_VHOSTS”?

zed17 · August 27, 2019, 6:21pm

Thank you for your help, I will continue testing tomorrow.

Here is the result of the command sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443 astuto.fr (/etc/apache2/sites-enabled/astuto-le-ssl.conf:;0;2)
*:80 is a NameVirtualHost
default server v.ovh.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost v.ovh.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost astuto.fr (/etc/apache2/sites-enabled/astuto.conf:1)
alias www.astuto.fr

system · September 26, 2019, 6:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot certificate is done but https is not working Help	7	19321	August 5, 2018
Unable to renew SSL for subdomain Help	8	663	August 3, 2023
Renewal not working on www Help	13	2033	December 21, 2021
Ssl Not working on "www" Help	7	718	June 13, 2019
No errors, just questions Server	4	1203	March 2, 2017

Problem with www

Related topics