Replace domain in certificate

Hi @shieldfire

they are not.

The org - domain - https://check-your-website.server-daten.de/?q=liberalismonline.org

Host T IP-Address is auth. ∑ Queries ∑ Timeout
liberalismonline.org A 18.195.38.79 Frankfurt am Main/Hesse/Germany (DE) - Amazon Technologies Inc. Hostname: ec2-18-195-38-79.eu-central-1.compute.amazonaws.com yes 1 0
AAAA yes
www.liberalismonline.org A 18.195.38.79 Frankfurt am Main/Hesse/Germany (DE) - Amazon Technologies Inc. Hostname: ec2-18-195-38-79.eu-central-1.compute.amazonaws.com yes 1 0
AAAA yes

uses Amazon.

The com - https://check-your-website.server-daten.de/?q=liberalismonline.com

Host T IP-Address is auth. ∑ Queries ∑ Timeout
liberalismonline.com A 208.91.197.44 Road Town/Tortola/British Virgin Islands (VG) - Confluence Networks Inc No Hostname found yes 1 0
AAAA yes
www.liberalismonline.com yes 2 2
AAAA yes
www.liberalismonline.com A 208.91.197.44 Road Town/Tortola/British Virgin Islands (VG) - Confluence Networks Inc No Hostname found no

has a completely different ip address.

It’s not relevant if you have a local definition with the com domain name. The public name server must have the correct entry -> you must be the domain owner and you have to change your A entry.

1 Like

They seem to be on different servers because the registrar has moved the domain to some kind of holding server thingy. They’ve always been on the Amazon web hosting in Germany. The current .org server also has the .com certificate. The only way .com can be on another server is that the registrar is redirecting the domain to their own servers. The main site is on the Germany server.

The main problem is however, how do I remove the .com certificate and replace it with a .org certificate? I keep getting the errors given above no matter what I try to do.

You create a certificate with .com:

So don’t do that. Create one only with .org.

See

1 Like

You are right, it says .com.
This is very strange, because I am 99% sure I am using .org to create create the request. As in

DOMAIN=liberalismonline.org
WILDCARD=*.$DOMAIN
sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

in
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

OK, tried it again. Still the same type of error

Failed authorization procedure. liberalismonline.org (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "_acme-challenge.liberalismonline.org=mksOnDWiAlTjA7HxynJtYVmwbRM_w7pS0qNezHsPzA0" (and 1 more) found at _acme-challenge.liberalismonline.org, liberalismonline.org (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "_acme-challenge.liberalismonline.org=mksOnDWiAlTjA7HxynJtYVmwbRM_w7pS0qNezHsPzA0" (and 1 more) found at _acme-challenge.liberalismonline.orgIMPORTANT NOTES: - The following errors were reported by the server: Domain: liberalismonline.org Type: unauthorized Detail: Incorrect TXT record "_acme-challenge.liberalismonline.org=mksOnDWiAlTjA7HxynJtYVmwbRM_w7pS0qNezHsPzA0" (and 1 more) found at _acme-challenge.liberalismonline.org Domain: liberalismonline.org Type: unauthorized Detail: Incorrect TXT record "_acme-challenge.liberalismonline.org=mksOnDWiAlTjA7HxynJtYVmwbRM_w7pS0qNezHsPzA0" (and 1 more) found at _acme-challenge.liberalismonline.org To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

OK I tried
certbot certonly --cert-name liberalismonline.com -d liberalismonline.org,www.liberalismonline.org

and I get
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/liberalismonline.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/liberalismonline.com/privkey.pem Your cert will expire on 2020-03-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run “certbot renew”

But when I visit the site I see a broken certificate and this

Do you also own this domain stuffnthings.skjoldebrand.org ? This is just a link to a png on ownCloud.

I believe each domain name should be preceded with -d and not have a comma between them.
Did you read the certbot user guide as @JuergenAuer suggested?

Certbot supports both “-d example.com -d example.net” and “-d example.com,example.net”.

1 Like

Okay, thanks. I’ll remember that. :wink:

Yes, of course it’s a png on ownCloud. And yes it’s my domain/site. The thing is what the png shows - that the domain still claims the certificate is for liberalismonline.com not .org despite the message that certbot changed the domain to .org.

And yes I read the document, the command I used is from the manual, changing example.org to liberalismonline.org. Which I would’ve guessed was obvious due to the status of the command that I posted.

Checking your domain you have created the correct certificate - https://check-your-website.server-daten.de/?q=liberalismonline.org#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-12-03 2020-03-02 liberalismonline.org, www.liberalismonline.org - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-12-03 2020-03-02 liberalismonline.org - 1 entries duplicate nr. 1

The last is good, so that part is done.

But you don’t use it, instead, there is a wildcard of your com domain:

CN=liberalismonline.com
	15.11.2019
	13.02.2020
expires in 72 days	*.liberalismonline.com, liberalismonline.com - 2 entries

So your vHost setup is broken.

What says

apachectl -S
1 Like

Then I get
SSLCertificateFile: file ‘/opt/bitnami/apache2/conf/server.crt’ does not exist or is empty

Your topic: nginx.

Your website: Apache.

Now: Bitnami.

–> Check the Bitnami documentation how to install your certificate.

You mean as in post 9?
I’ve already installed the .com certificate once - there is no docs on how to change it to .org that I found. I could possibly set up a load balancer and install a .org-certificate on that to point to the site. Looks like complete overkill, even if it would be possible.

This is a bit “confusing”.
Your asking for certificates for .org whilst calling the cert by a .com name.
There is no .com name in that cert… ~ ~ ~ creating confusion ~ ~ ~

1 Like

This is still the right thing to do if you specifically don’t want to update web server configuration files, although I agree it might create the wrong impression for someone looking at those files in the future.

1 Like

They could have used a non-FQDN cert name like: “liberalismonline”
Using a real FQDN (and one they don’t even control), to me, is bad practice.

1 Like

I had no idea the registrar would f*** up the domain, in which case there wouldn’t have been a problem at all. It’s possible that another naming scheme would be better, but now there isn’t one. And it doesn’t resolve the problem.

I’ve changed the domain in the certificate to .org (at least - that is what the certbot message claims), but still - when browsing the site, the certificate claims it’s for the .com domain. How do I fix this?

1 Like

Your command was certonly.
Have you restarted the web server since?

3 Likes

Finally!
That was what I had missed …
Thanks a lot for putting up with this endless thread, which now finally seems to have come to an end.

3 Likes