SSL Cert not fully trusted on www e non www site

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:radiorock.to

I ran this command:
sudo apt-get update
sudo apt-get install software-properties-common
sudo apt install certbot python3-certbot-apache
sudo certbot --apache

It produced this output:
Deploying certificate
Successfully deployed certificate for radiorock.to to /etc/apache2/sites-enabled/radiorock-le-ssl.conf

My web server is (include version):
Server version: Apache/2.4.52 (Ubuntu)
Server built: 2024-01-17T03:00:18

The operating system my web server runs on is (include version):
Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is:
AWS lightsail

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

when run certbot --apache it tells me to chose the website the certificate is valid only for the last choice i make eg. if i chooese radiorock.to is valid for a non www, if i chooose first www.radiorock.to tge certificate is applied onli on www website

this is part site.conf file

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/radiorock.to/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/radiorock.to/privkey.pem

i ttied to manually add the www directory but it does not work for me.
can you suggest the right way do do?

thank you so mutch
francesco

Hi Francesco,

Certbot lets you choose multiple names in response to that prompt about which name(s) the certificate should be requested for. You can separate your replies with commas, like

1,2,3

If you request all of the relevant names, they will be included on a single certificate and that certificate will be configured to work for the relevant Apache VirtualHosts that are configured to respond to those names.

That is NOT the recommended way to install Certbot, please see:
(generally a good idea to remove all installed copies of Certbot before starting)

Thank's Bruce and Shoen for your support
i'll do this immediately
do you think this article is a good way to remove all certbot pakages?

thank's a lot
francesco

No, it does a few unnecessary steps. E.g., removing entire directories in /etc/ and /var/ isn't something I would do and I wouldn't recommend the purge option.

Bruce means you should make sure all non-snap instances of Certbot are removed. One usually knows to find and remove the instance installed by apt, but sometimes one forgets about the instance installed globally by e.g. pip.

Now it works fine thanks a lot!

Hello again today the problem is reappeared.
I have installed the certbot ex explain by Bruce, and tested it all Yesterday. today i have this issue.
if i point to https://radiorock.to all works ok
if i point to www.radiorock.to the certificate is invalid
the .conf file

        ServerName radiorock.to
        ServerAlias www.radiorock.to
....
      RewriteEngine on  
      RewriteCond %{SERVER_NAME} =www.radiorock.to [OR]
      RewriteCond %{SERVER_NAME} =radiorock.to
      RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

on the radiorock-le file

        ServerName radiorock.to
        ServerAlias www.radiorock.to
...
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =www.radiorock.to [OR]
# RewriteCond %{SERVER_NAME} =radiorock.to
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.radiorock.to/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.radiorock.to/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/radiorock.to/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/radiorock.to/privkey.pem

I really do not know where to find the error!. any suggestion?

Please show the output of the command:

sudo certbot certificates

Thank you Osiris for you support

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: cnfbad.net
    Serial Number: 40c66df4a1a0d596e02751ac3b36c554f63
    Key Type: ECDSA
    Domains: cnfbad.net
    Expiry Date: 2024-08-09 09:00:34+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/cnfbad.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cnfbad.net/privkey.pem
  Certificate Name: data.operaparla.it
    Serial Number: 49aaf6ce9a85ae91b6c3f6191922d8e075f
    Key Type: ECDSA
    Domains: data.operaparla.it
    Expiry Date: 2024-08-06 18:21:16+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/data.operaparla.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/data.operaparla.it/privkey.pem
  Certificate Name: e-book4free.com
    Serial Number: 3a59566d36820e99298d99b5e09ced25ee5
    Key Type: ECDSA
    Domains: e-book4free.com
    Expiry Date: 2024-08-06 18:18:29+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/e-book4free.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/e-book4free.com/privkey.pem
  Certificate Name: epsilonindi.it
    Serial Number: 4267b0ca8d1ab080fe37db4256e419d948c
    Key Type: ECDSA
    Domains: epsilonindi.it
    Expiry Date: 2024-08-06 18:18:51+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/epsilonindi.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/epsilonindi.it/privkey.pem
  Certificate Name: facilissoftware.it
    Serial Number: 470d22ca21d93ee0bd125721c8a636377db
    Key Type: ECDSA
    Domains: facilissoftware.it
    Expiry Date: 2024-08-09 11:01:14+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/facilissoftware.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/facilissoftware.it/privkey.pem
  Certificate Name: gaundri.com
    Serial Number: 33b91d31aa6481bf93ac384ba1b0205cc0d
    Key Type: ECDSA
    Domains: gaundri.com
    Expiry Date: 2024-08-07 05:38:30+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/gaundri.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gaundri.com/privkey.pem
  Certificate Name: officinamusicale.it
    Serial Number: 36a084551620730083a8117a1611992cc90
    Key Type: ECDSA
    Domains: officinamusicale.it
    Expiry Date: 2024-08-06 18:20:53+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/officinamusicale.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/officinamusicale.it/privkey.pem
  Certificate Name: radiorock.to
    Serial Number: 3a0f6c85136d9a03d1571d5ec59cc2f4957
    Key Type: ECDSA
    Domains: radiorock.to
    Expiry Date: 2024-08-09 09:11:15+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/radiorock.to/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/radiorock.to/privkey.pem
  Certificate Name: rifugiodellarocca.it
    Serial Number: 31c5c4ad3847201dd5cd23d7f4390156519
    Key Type: ECDSA
    Domains: rifugiodellarocca.it
    Expiry Date: 2024-08-09 09:02:24+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/rifugiodellarocca.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/rifugiodellarocca.it/privkey.pem
  Certificate Name: service.facilissoftware.it
    Serial Number: 4b821c02182fdae733678ea234a145d0a9d
    Key Type: ECDSA
    Domains: service.facilissoftware.it
    Expiry Date: 2024-08-09 11:01:52+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/service.facilissoftware.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/service.facilissoftware.it/privkey.pem
  Certificate Name: studiopilates37.com
    Serial Number: 382c4ce3ca6f77d0f352734c6850f73b6ff
    Key Type: ECDSA
    Domains: studiopilates37.com
    Expiry Date: 2024-08-06 18:22:45+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/studiopilates37.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/studiopilates37.com/privkey.pem
  Certificate Name: tutelepatrimoniali.it
    Serial Number: 4197fea1c02ed34be30afdc174a2af4f2d6
    Key Type: ECDSA
    Domains: tutelepatrimoniali.it
    Expiry Date: 2024-08-06 18:23:06+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/tutelepatrimoniali.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/tutelepatrimoniali.it/privkey.pem
  Certificate Name: umbriain.it
    Serial Number: 4e6290ba5440761d7067df7e2e28f4995f3
    Key Type: ECDSA
    Domains: umbriain.it
    Expiry Date: 2024-08-06 18:24:07+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/umbriain.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/umbriain.it/privkey.pem
  Certificate Name: www.cnfbad.net
    Serial Number: 41ca448e96e2c5168c9c2c863d8c2897a7c
    Key Type: ECDSA
    Domains: www.cnfbad.net
    Expiry Date: 2024-08-09 09:00:45+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/www.cnfbad.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.cnfbad.net/privkey.pem
  Certificate Name: www.data.operaparla.it
    Serial Number: 3802afa5ab9d5fb9898dca56f8097883c0b
    Key Type: ECDSA
    Domains: www.data.operaparla.it
    Expiry Date: 2024-08-06 18:21:27+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/www.data.operaparla.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.data.operaparla.it/privkey.pem
  Certificate Name: www.e-book4free.com
    Serial Number: 402cb4434890d949e39998b65890c196e33
    Key Type: ECDSA
    Domains: www.e-book4free.com
    Expiry Date: 2024-08-06 18:18:39+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/www.e-book4free.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.e-book4free.com/privkey.pem
  Certificate Name: www.epsilonindi.it
    Serial Number: 33072e38727f560ba3afda64e3adcdb521e
    Key Type: ECDSA
    Domains: www.epsilonindi.it
    Expiry Date: 2024-08-06 18:18:59+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/www.epsilonindi.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.epsilonindi.it/privkey.pem
  Certificate Name: www.facilissoftware.it
    Serial Number: 40ce2d0ac2a72403ee75496ddea405ec762
    Key Type: ECDSA
    Domains: www.facilissoftware.it
    Expiry Date: 2024-08-09 11:01:33+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.facilissoftware.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.facilissoftware.it/privkey.pem
  Certificate Name: www.gaundri.com
    Serial Number: 3a554c13ccfe09a062dc09efcd4f51ef4ff
    Key Type: ECDSA
    Domains: www.gaundri.com
    Expiry Date: 2024-08-07 05:39:09+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/www.gaundri.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.gaundri.com/privkey.pem
  Certificate Name: www.officinamusicale.it
    Serial Number: 44ce9c884b3dce1f9d665f2f4cd3b5c9953
    Key Type: ECDSA
    Domains: www.officinamusicale.it
    Expiry Date: 2024-08-06 18:21:05+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/www.officinamusicale.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.officinamusicale.it/privkey.pem
  Certificate Name: www.radiorock.to
    Serial Number: 46c2978c97d7107da127fd223d5703e9057
    Key Type: ECDSA
    Domains: www.radiorock.to
    Expiry Date: 2024-08-09 09:11:26+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/www.radiorock.to/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.radiorock.to/privkey.pem
  Certificate Name: www.rifugiodellarocca.it
    Serial Number: 4f401aaba8609cc98fc05f69c7536ca807d
    Key Type: ECDSA
    Domains: www.rifugiodellarocca.it
    Expiry Date: 2024-08-09 09:02:45+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/www.rifugiodellarocca.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.rifugiodellarocca.it/privkey.pem
  Certificate Name: www.service.facilissoftware.it
    Serial Number: 30fc65a6d1f0a824538c314ce971c361a76
    Key Type: ECDSA
    Domains: www.service.facilissoftware.it
    Expiry Date: 2024-08-09 11:02:11+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.service.facilissoftware.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.service.facilissoftware.it/privkey.pem
  Certificate Name: www.studiopilates37.com
    Serial Number: 3585412fc7f33c7ace1089afaf598991d6b
    Key Type: ECDSA
    Domains: www.studiopilates37.com
    Expiry Date: 2024-08-06 18:22:56+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/www.studiopilates37.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.studiopilates37.com/privkey.pem
  Certificate Name: www.tutelepatrimoniali.it
    Serial Number: 4e3ecb6d1b1305d7d36476f5399c67df0b5
    Key Type: ECDSA
    Domains: www.tutelepatrimoniali.it
    Expiry Date: 2024-08-06 18:23:16+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/www.tutelepatrimoniali.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.tutelepatrimoniali.it/privkey.pem
  Certificate Name: www.umbriain.it
    Serial Number: 383a4388f238a03026e0c020ab8ff9bdda6
    Key Type: ECDSA
    Domains: www.umbriain.it
    Expiry Date: 2024-08-06 18:24:19+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/www.umbriain.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.umbriain.it/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

qualis says (https://www.ssllabs.com/)

Certificate name mismatch

and refer to the first certificate cnfbad.net

Your problem is that you're mentioning both certificates in your "radiorock-le" file, but they have the same keytype (ECDSA) so the second one takes preference over the first one.

You probably want to include just a single cert with both hostnames.

So this:

certificate can be combined with:

By running:

sudo certbot --apache --expand --cert-name radiorock.to -d radiorock.to -d www.radiorock.to

Once you've got that certificate for both hostnames, make sure your "radiorock-le" file is ONLY referencing the fullchain.pem and privkey.pem from /etc/letsencrypt/live/radiorock.to/ and NOT from /etc/letsencrypt/live/www.radiorock.to/.

Once that's the case and your website works flawlessly, you can remove the www.radiorock.to certificate by running:

sudo certbot delete --cert-name www.radiorock.to

Note that your "radiorock-le" file should only include SSLCertificateFile and SSLCertificateKeyFile once after the above.

The same goes for a lot of the other certificates too by the way.. Lots of certificates with just a single hostname which could be combined into just a single cert with multiple hostnames.

Thank you Oiris now it's ok and it's a logical approach

Let's Debug

and it is true, all the vhosts have the same schema and also the same error
thks so mutch

Since each vhost can only use one cert of a specific type, your options are:

• join the names onto one single cert
  [as detailed by @Osiris]

• split the vhosts into two
  using one vhost, and cert, per name

• replace just one of the ECDSA certs with an RSA cert
  then each name can be served by its' own cert

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.