[SOLVED] Www prefix breaking the cert


#1

Please fill out the fields below so we can help you better.

My domain is: bsidesslc.org

I ran this command: ./certbot-auto certonly -n --agree-tos --email admin@bsidesslc.org --domain bsidesslc.org --webroot --webroot-path /var/www/vhosts/bsidesslc.org/httpsdocs/

It produced this output: Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/bsidesslc.org/fullchain.pem. Your cert will
expire on 2017-02-24. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew all of your certificates, run
"certbot-auto renew"

My operating system is (include version): CentOS 6

My web server is (include version): Apache 2.2.15

My hosting provider, if applicable, is: Interserver.net

Yes, I CAN login to a root shell on my machine

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Nope

I seem to have a config error. The cert is for bsidesslc.org, if I browse to the site, it’s adding www, and it’s breaking the ssl. Is it easier for me to monkey with my httpd.conf or reissue the cert? I’m not a very good httpd.conf monkey.


#2

With a lot of basic CAs, on the one hand, they automatically add www. to certificates. On the other hand, they give you very little control over what names your certificate should cover. Let’s Encrypt gives you complete control; they do not automatically add any names, issuing the certificate for precisely the names you specified.

You should run something like this to issue a new certificate covering both bsidesslc.org and www.bsidesslc.org:

./certbot-auto certonly -n --agree-tos --email admin@bsidesslc.org --domain bsidesslc.org --domain www.bsidesslc.org --webroot --webroot-path /var/www/vhosts/bsidesslc.org/httpsdocs/

In other words, what you ran before, but with “--domain www.bsidesslc.org” tacked on.

It would be best to have both names functional, whether one redirects to the other or not. You never know what users will type into their browsers, so it’s best to be flexible.

If you want to keep the current setup, you should make a different change to your web server configuration, though. If you visit https://bsidesslc.org/ right now, it redirects to http://www.bsidesslc.org/, which redirects to https://www.bsidesslc.org/. The step in the middle isn’t secured, which hypothetically lets an attacker interfere. It would be best to add an “s” to the redirect configuration so that https://bsidesslc.org/ redirects straight to https://www.bsidesslc.org/.


#3

As an additional note, you may also want to add “–expand” so the certificate will be in the exact same location, but with the extra names in it. If you don’t do that, you’ll have two certificates, one with and one without the www prefix you’re adding.

If that gives an error, you’re likely running an old version of certbot and should update it if possible.


#4

Thanks again to mnordhoff, and to motoko. You guys nailed it. I owe you a drink.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.