Replace domain in certificate

Help
#1

Hi,

Is it at all possible to change the domain of a certificate? Due to a missunderstanding with the registrar the first domain expired, and I had to change domains. (Site isn’t production yet).
Is it possible to change the domain (from .com to .org) or do I need to create a new certificate? The latter has created an endless series of errors along the lines of urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record
I’ve checked the TXT records with mxlookup and manually and they come out correct according to the letsencrypt process.
I’ve cleared the letsencrypt settings files.
I’ve remove/purged letsencrypt and reinstalled it again.

My original domain is: liberalismonline.com

I ran this command: sudo certbot certonly -d www.liberalismonline.com -d www.liberalismonline.org

It produced this output: invalid on the .com-domain

My web server is (include version): nginx

The operating system my web server runs on is (include version): somekind of debian derivative

My hosting provider, if applicable, is: aws - lightsail

1 Like
#2

Name: www.liberalismonline.org
Address: 18.195.38.79

Name: www.liberalismonline.com
Address: 208.91.197.44

Are those IPs on the same server?

1 Like
#3

Either way, since your new domain is the .org, that should be the first one to enter.

@rg305, Those two domains are from two different registrars. They’re definitely not on the same server as one is in Sweden and the other in the USA. But checking the .com domain, the name servers are listed in register.com’s “expireddomains” subdomain… a “holding tank” of expired domains for lack of a better term. But it doesn’t expire until 2020-10-25. Maybe Register.com just hasn’t moved the domain back to “real” name servers yet?

Domain: liberalismonline.com
Registrar: Register.com, Inc.
Registered On: 2019-10-25
Expires On: 2020-10-25
Updated On: 2019-11-29
Status:ok
Name Servers:
ns1.expireddomains.register.com
ns2.expireddomains.register.com

1 Like
#4

Actually the sites are on the same Lightsail instance, while the registrars are in different countries.

#5

Trying the certonly -d stanza with the .org first produces the same error:
Performing the following challenges:http-01 challenge for www.liberalismonline.comInput the webroot for www.liberalismonline.com: (Enter 'c' to cancel): /opt/bitnami/apps/wordpress/htdocsWaiting for verification...Cleaning up challengesFailed authorization procedure. www.liberalismonline.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.liberalismonline.com/.well-known/acme-challenge/ShYG6UIPvR-fSOE5QtBI0Mv2rHL5ayGaIQLCw_YVFtA [208.91.197.44]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"IMPORTANT NOTES: - The following errors were reported by the server: Domain: www.liberalismonline.com Type: unauthorized Detail: Invalid response from http://www.liberalismonline.com/.well-known/acme-challenge/ShYG6UIPvR-fSOE5QtBI0Mv2rHL5ayGaIQLCw_YVFtA [208.91.197.44]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain

#6

Hi @shieldfire

they are not.

The org - domain - https://check-your-website.server-daten.de/?q=liberalismonline.org

Host T IP-Address is auth. ∑ Queries ∑ Timeout
liberalismonline.org A 18.195.38.79 Frankfurt am Main/Hesse/Germany (DE) - Amazon Technologies Inc. Hostname: ec2-18-195-38-79.eu-central-1.compute.amazonaws.com yes 1 0
AAAA yes
www.liberalismonline.org A 18.195.38.79 Frankfurt am Main/Hesse/Germany (DE) - Amazon Technologies Inc. Hostname: ec2-18-195-38-79.eu-central-1.compute.amazonaws.com yes 1 0
AAAA yes

uses Amazon.

The com - https://check-your-website.server-daten.de/?q=liberalismonline.com

Host T IP-Address is auth. ∑ Queries ∑ Timeout
liberalismonline.com A 208.91.197.44 Road Town/Tortola/British Virgin Islands (VG) - Confluence Networks Inc No Hostname found yes 1 0
AAAA yes
www.liberalismonline.com yes 2 2
AAAA yes
www.liberalismonline.com A 208.91.197.44 Road Town/Tortola/British Virgin Islands (VG) - Confluence Networks Inc No Hostname found no

has a completely different ip address.

It's not relevant if you have a local definition with the com domain name. The public name server must have the correct entry -> you must be the domain owner and you have to change your A entry.

1 Like
#7

They seem to be on different servers because the registrar has moved the domain to some kind of holding server thingy. They’ve always been on the Amazon web hosting in Germany. The current .org server also has the .com certificate. The only way .com can be on another server is that the registrar is redirecting the domain to their own servers. The main site is on the Germany server.

The main problem is however, how do I remove the .com certificate and replace it with a .org certificate? I keep getting the errors given above no matter what I try to do.

#8

You create a certificate with .com:

So don't do that. Create one only with .org.

See

https://certbot.eff.org/docs/using.html

1 Like
#9

You are right, it says .com.
This is very strange, because I am 99% sure I am using .org to create create the request. As in

DOMAIN=liberalismonline.org
WILDCARD=*.$DOMAIN
sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

in
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

#10

OK, tried it again. Still the same type of error

Failed authorization procedure. liberalismonline.org (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "_acme-challenge.liberalismonline.org=mksOnDWiAlTjA7HxynJtYVmwbRM_w7pS0qNezHsPzA0" (and 1 more) found at _acme-challenge.liberalismonline.org, liberalismonline.org (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "_acme-challenge.liberalismonline.org=mksOnDWiAlTjA7HxynJtYVmwbRM_w7pS0qNezHsPzA0" (and 1 more) found at _acme-challenge.liberalismonline.orgIMPORTANT NOTES: - The following errors were reported by the server: Domain: liberalismonline.org Type: unauthorized Detail: Incorrect TXT record "_acme-challenge.liberalismonline.org=mksOnDWiAlTjA7HxynJtYVmwbRM_w7pS0qNezHsPzA0" (and 1 more) found at _acme-challenge.liberalismonline.org Domain: liberalismonline.org Type: unauthorized Detail: Incorrect TXT record "_acme-challenge.liberalismonline.org=mksOnDWiAlTjA7HxynJtYVmwbRM_w7pS0qNezHsPzA0" (and 1 more) found at _acme-challenge.liberalismonline.org To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

#11

OK I tried
certbot certonly --cert-name liberalismonline.com -d liberalismonline.org,www.liberalismonline.org

and I get
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/liberalismonline.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/liberalismonline.com/privkey.pem Your cert will expire on 2020-03-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run “certbot renew”

But when I visit the site I see a broken certificate and this

#12

Do you also own this domain stuffnthings.skjoldebrand.org ? This is just a link to a png on ownCloud.

I believe each domain name should be preceded with -d and not have a comma between them.
Did you read the certbot user guide as @JuergenAuer suggested?

#13

Certbot supports both “-d example.com -d example.net” and “-d example.com,example.net”.

1 Like
#14

Okay, thanks. I’ll remember that. :wink:

#15

Yes, of course it’s a png on ownCloud. And yes it’s my domain/site. The thing is what the png shows - that the domain still claims the certificate is for liberalismonline.com not .org despite the message that certbot changed the domain to .org.

And yes I read the document, the command I used is from the manual, changing example.org to liberalismonline.org. Which I would’ve guessed was obvious due to the status of the command that I posted.

#16

Checking your domain you have created the correct certificate - https://check-your-website.server-daten.de/?q=liberalismonline.org#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-12-03 2020-03-02 liberalismonline.org, www.liberalismonline.org - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-12-03 2020-03-02 liberalismonline.org - 1 entries duplicate nr. 1

The last is good, so that part is done.

But you don’t use it, instead, there is a wildcard of your com domain:

CN=liberalismonline.com
	15.11.2019
	13.02.2020
expires in 72 days	*.liberalismonline.com, liberalismonline.com - 2 entries

So your vHost setup is broken.

What says

apachectl -S
1 Like
#17

Then I get
SSLCertificateFile: file ‘/opt/bitnami/apache2/conf/server.crt’ does not exist or is empty

#18

Your topic: nginx.

Your website: Apache.

Now: Bitnami.

–> Check the Bitnami documentation how to install your certificate.

#19

You mean as in post 9?
I've already installed the .com certificate once - there is no docs on how to change it to .org that I found. I could possibly set up a load balancer and install a .org-certificate on that to point to the site. Looks like complete overkill, even if it would be possible.

#20

This is a bit "confusing".
Your asking for certificates for .org whilst calling the cert by a .com name.
There is no .com name in that cert... ~ ~ ~ creating confusion ~ ~ ~

1 Like