Question about correct way to obtain certificate using certonly

Hi friends,
I’ve just added a new website and request its certificates, but some problems I’ve found, here my situation.

On VPS Debian jessie, certbot 0.8.1-2~bpo8+1, and below configuration files:

clin.ini

# Use a 4096 bit RSA key instead of 2048.
rsa-key-size = 4096
  
# Set email and domains.
email = admin@sio4.org
# domains = example.com, www.example.com
  
# Text interface.
text = True
# No prompts.
non-interactive = True
# Suppress the Terms of Service agreement interaction.
agree-tos = True
  
# Use the webroot authenticator.
authenticator = webroot
webroot-path = /var/www/letsencrypt

/etc/apache2/sites-available/letsencrypt.conf

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
Options None
AllowOverride None
ForceType text/plain
# avoid access to anything not resembling a challenge
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w­]{43}$)"
</Directory>

/etc/apache2/sites-enabled/vini-bulgarini.com.conf

<VirtualHost *:80>

        ServerName vini-bulgarini.com
        ServerAlias www.vini-bulgarini.com

        ServerAdmin admin@sio4.org
        DocumentRoot /var/www/vini-bulgarini.com/public_html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

/etc/apache2/sites-enabled/vini-bulgarini.com-ssl.conf

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerAdmin admin@sio4.org
                DocumentRoot /var/www/vini-bulgarini.com/public_html/

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile /etc/letsencrypt/live/www.vini-bulgarini.com/cert.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/www.vini-bulgarini.com/privkey.pem
                SSLCertificateChainFile /etc/letsencrypt/live/www.vini-bulgarini.com/fullchain.pem

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0

                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        </VirtualHost>
</IfModule>

Runing this command for obtain new certificates for a new one website domain:

certbot certonly --webroot -w /var/www/letsencrypt -d www.vini-bulgarini.com -d vini-bulgarini.com

Obtain:

1) the first time an error and the certificates do not come:

Failed authorization procedure. www.vini-bulgarini.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.vini-bulgarini.com/.well-known/acme-challenge/WXsltSJg6JZy2Nv7zHF2i-3VMYsv_fIQa67Rx7fTfFc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.vini-bulgarini.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.vini-bulgarini.com/.well-known/acme-challenge/WXsltSJg6JZy2Nv7zHF2i-3VMYsv_fIQa67Rx7fTfFc:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

2) running, some seconds later, the same command, obtain every certificates:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.vini-bulgarini.com/fullchain.pem. Your
   cert will expire on 2017-01-04. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now, if I try to go to https://www.vini-bulgarini.com/ obtain from Firefox:

www.vini-bulgarini.com uses an invalid security certificate. The certificate is only valid for the following names: cosmogonia.org, www.cosmogonia.org Error code: SSL_ERROR_BAD_CERT_DOMAIN

On fullchain1.pem:

_X509v3 Subject Alternative Name _
DNS:vini-bulgarini.com, DNS:www.vini-bulgarini.com

NB
cosmogonia.org is another web site hosted by the same SERVER/VPS (server.sio4.org)

Many many thanks!

/etc/apache2/sites-enabled/vini-bulgarini.com-ssl.conf is missing a ServerName and ServerAlias…

Also, SSLCertificateChainFile “should” point to chain.pem or you can point SSLCertificateFile to fullchain.pem and delete SSLCertificateChainFile if your Apache is version 2.4.8 or newer.

In this case I thought it was unnecessary (only) for the ssl configuration.I was wrong

Ah, I've never read before this feature!

Many thanks for all this information!

ciao!

As you said, there's another site hosted on the same server and without separate IP addresses for the sites/virtualhost, ServerName is necessary indeed.

And don't forget to point SSLCertificateFile to fullchain.pem!!!!!

Many thanks for making these tests, really very useful!
I think I've put all right
If possible, could you suggest using what tools you have performed these checks?

many thanks again @Osiris!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.