SSL Certificate for Website with redirection


#1

Hi,

My company has a website with alot of content. We created a new website and put the old website as old.zabazdomain.com and set a 301 redirection in htaccess files so every url in old.zabazdomain.com will go to zabazdomain.com automatically. Now the problem is ssl certificate expired for this old website and due to the redirection, I can’t access the old wordpress based website to install the new certificate.I tried it through ssh and got the below listed result. Kindly help

My domain is: Sorry but I have to mention it as zabazdomain due to authorization problems

I ran this command: sudo certbot --nginx certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?


1: zabazdomain.com
2: old.zabazdomain.com
3: www.zabazdomain.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/old.zabazdomain.com.conf)

What would you like to do?


1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for old.zabazdomain.com
nginx: [warn] conflicting server name “zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “www.zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “www.zabazdomain.com” on 10.0.0.4:443, ignored
Waiting for verification…
Cleaning up challenges
nginx: [warn] conflicting server name “zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “www.zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “www.zabazdomain.com” on 10.0.0.4:443, ignored

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/old.zabazdomain.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/old.zabazdomain.com/privkey.pem
    Your cert will expire on 2019-06-17. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): nginx/1.13.3

The operating system my web server runs on is (include version): Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-134-generic x86_64)

My hosting provider, if applicable, is: In a VM inside Azure

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.26.1


#2

Hi @ziyadabaz,

When you say

I can’t access the old wordpress based website to install the new certificate.

I wonder why you need to use WordPress to install your certificate. Isn’t your certificate configured in nginx? If you normally install your certificate using a web interface, are you sure that you’re not using some kind of control panel?

A few suggestions without fully understanding your setup:

  • You could try to reload nginx with a command like sudo service nginx reload (to make sure that it’s aware of the new certificate).
  • You could edit the .htaccess files over ssh, using a text editor.
  • In case the certificate that you renewed isn’t the same one that your nginx is using, you can see all of your Certbot-managed certificates with the command sudo certbot certificates.

#3

Hi Schoen,

Thanks for your inputs. I’m more of a hardware guy and my experience with hosting functionalities are limited.

1- I have never installed or worked on this website before. Earlier this used be in hostgator and ssl was managed through it’s cpanel. This was moved to Azure later and from my understanding the guy who migrated it to Azure used certbot to activate a temporary certificate. He is not in the company anymore and I have to handle this situation myself. I was thinking about installing a cert through ssl plugins for Wordpress. This is not possible due to redirections now.

2- I think restarting nginx will result in a short downtime. This will affect the redirects for sure right ? Is there a way to check if nginx is using the correct certificate?

3- I tried sudo certbot certificates comment and got the below output

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/zabazdomain.com/cert.pem is unknown


Found the following certs:
Certificate Name: zabazdomain.com
Domains: zabazdomain.com old.zabazdomain.com www.zabazdomain.com
Expiry Date: 2019-02-14 07:40:07+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/zabazdomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/zabazdomain.com/privkey.pem
Certificate Name: old.zabazdomain.com
Domains: old.zabazdomain.com
Expiry Date: 2019-06-17 08:03:49+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/old.zabazdomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/old.zabazdomain.com/privkey.pem

it’s saying certificate valid for old.zabazdomain.com but expired for zabazdomain.com.This is understandable as I did not use certbot on zabazdomain.com as we have a valid certificate installed on the new host for this. Do I have to install a letsencrypt certificate for zabazdomain.com on Azure also? This means two different certificates for one domain in two different hosts. Is that gonna cause any issues?


#4

The thing is, Now whenever someone types a valid url of our website there are no certificate errors shown as it directly takes the user to the new website. Only shows invalid certificate error when someone types an invalid url with old. prefix


#5

That’s totally fine and is even an intended situation in some ways of migrating to a new server.


#6

Thanks Schoen. I tried to install a certificate for the other one using the same sudo certbot -expand command. But looks like there were some kind of error in verifying. I see it’s trying to verify an acme-challenge but I didnt have any files/dns entry for them provided by certbot or mentioned in the tutorial.Is it placed automatically by certbot on server? or is it failing due to the redirection? As the ip address that was mentioned in error log belongs to the new server. Maybe it placed the acme challenge files on the server that I’m executing the command on but due to redirection checks on the second,New server? Sorry if I am wrong .I’m soo dumb when it comes to websites.

sudo certbot --expand -d zabazdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?


1: Apache Web Server plugin - Beta (apache)
2: Nginx Web Server plugin - Alpha (nginx)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for zabazdomain.com
nginx: [warn] conflicting server name “zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “www.zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “www.zabazdomain.com” on 10.0.0.4:443, ignored
Waiting for verification…
Cleaning up challenges
nginx: [warn] conflicting server name “zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “www.zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “zabazdomain.com” on 10.0.0.4:443, ignored
nginx: [warn] conflicting server name “www.zabazdomain.com” on 10.0.0.4:443, ignored
Failed authorization procedure. zabazdomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://zabazdomain.com/.well-known/acme-challenge/5faxpNIHe8SvUI4UHbFRpEO4T2N4fZI3809usjfdfXdkR8 [1xx.xxx.xxx.xx1]: " <!doctype html>\n\n\n <meta charset=“utf-8”>\n Page Not Found\n <meta name=“viewport” content"

IMPORTANT NOTES:


#7

Hi @ziyadabaz

there you see the problem. You have overlapping definitions. Every combination of port, ip and domain name should be unique. Remove all duplicated vHosts (first, make a backup).