Roll out multiple domains with 1 IP address not working

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: observastore.com & casazza.net

I ran this command: certbot --apache

It produced this output:
Congratulations! You have successfully enabled https://casazza.net

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=casazza.net

My web server is (include version): Apache 2.4.6.89

The operating system my web server runs on is (include version): centos 7.6

My hosting provider, if applicable, is: 1&1.com (ionos.com)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.34.2

Let me start by apologizing for the panicking question a few days back. I was silly and tried to just do it in 1 command. I am now approaching this in a professional manner.

I have several domains hosted on 1 server with 1 IP address. In all I want to get theses domains (with and without www.) secure: casazza:net, clearskyalarmclock:com, ghaas:org, stillwaterstargazers:com, tonightssky:com, and observastore:com. The observastore:com domain is just being held for a future project so I tried it first. Yesterday I did observastore.com and today I added www.observastore.com. All looked good! I figured out how the rewrites were accomplished and decided I’d do them by hand after I was sure things were working for the “production” domains. Next, I selected casazza:net and choose not to do redirects. I wanted to test the https connection myself first. It failed, and now observastore.com is reporting trust issues because it seems to be confused with casazza:net.

[root@www MySites]# certbot certificates

Found the following certs:
Certificate Name: casazza.net
Domains: casazza.net
Expiry Date: 2019-09-23 23:25:42+00:00 (VALID: 89 days)
Certificate Name: observastore.com
Domains: observastore.com
Expiry Date: 2019-09-22 23:34:24+00:00 (VALID: 88 days)
Certificate Name: www.observastore.com
Domains: www.observastore.com
Expiry Date: 2019-09-23 20:34:11+00:00 (VALID: 89 days)

Thankfully all the insecure sites are fully functional so I can take my time to get this working before I move on to the next domain.

2

Usually, you are going to want to combine your www and non-www domains into a single certificate:

 certbot --apache -d observastore.com -d www.observastore.com

Doing it this way reflects the usual way that Apache virtual hosts are organized - for example, this certificate would match a virtual host that looks like:

<VirtualHost *:80>
    ServerName observastore.com
    ServerAlias www.observastore.com
    # ...
</VirtualHost>
2 Likes
3

Thank you! That fixed observastore.com.

When I try: certbot --apache -d casazza.net -d www.casazza.net

I get an error with the challenge

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.casazza.net
Waiting for verification…
Challenge failed for domain www.casazza.net
http-01 challenge for www.casazza.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.casazza.net
    Type: unauthorized
    Detail: Invalid response from http://casazza.net/Home/
    [104.192.5.243]: “\n\n<!–[if IE 8]>\n<html
    class=“ie ie8” lang=“en-US”>”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

I don’t see anything wrong with my DNS entries, but I have to admit the 1and1.com DNS tools are difficult to use. Is there a DNS tool that can point out my problem? https://dnschecker.org finds no issues.

Am I missing something?

Mark

4

The problem is your /Home redirect rule intercepting the Let’s Encrypt validation request. Do you know where it comes from?

If, for example, you have an .htaccess file that implements this redirect using rewrite rules, you may want to exclude the Let’s Encrypt validation path by having this at the top of the file:

RewriteEngine On
RewriteRule ^\.well-known - [L]

If not, please show the full Apache virtual host for that domain.

5

This turned out be quite a mess. WordPress has a lot of .htaccess files. I also noticed that if I enable “Option Indexes” Wordpress breaks. I tried a manual install and got a “Certificate Name Mismatch” so just to make sure I did it right I moved my whole webroot folder aside and ran the certbot script with a webroot of a single index.html file. The certbot script ran fine, (I picked attempt to reinstall the existing certificate) but the result remains “Certificate name mismatch” Is this because both domains share the same IP. That seems to be the sense of the message. observastore.com still looks okay, but casazza.net does not.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.