SSL certification renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.arts-et-metiers.asso.fr

I ran this command:

certbot --apache --rsa-key-size 4096

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: arts-et-metiers.fr
2: emploi.arts-et-metiers.fr
3: prod.arts-et-metiers.fr
4: www.arts-et-metiers.fr
5: arts-et-metiers.asso.fr
6: admin.arts-et-metiers.asso.fr
7: am.arts-et-metiers.asso.fr
8: emploi.arts-et-metiers.asso.fr
9: www.arts-et-metiers.asso.fr
10: soce.fr
11: admin.soce.fr
12: dev-ec.soce.fr
13: www.soce.fr


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 9
Requesting a certificate for www.arts-et-metiers.asso.fr
Performing the following challenges:
http-01 challenge for www.arts-et-metiers.asso.fr
Waiting for verification...
Challenge failed for domain www.arts-et-metiers.asso.fr
http-01 challenge for www.arts-et-metiers.asso.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
Apach

The operating system my web server runs on is (include version):
Debian 11

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version

certbot 1.12.0

Welcome to the community @MoBSoce

The 404 error means Certbot is having difficulty with your Apache config. Can you show us the output of this command?

apachectl -t -D DUMP_VHOSTS

(replace apachectl with apache2ctl or httpd if you system requires that)

3 Likes

I just tried to renew my certificates. I didn't change anything.
Here's the output of apachectl dump

apache2ctl -t -D DUMP_VHOSTS

[Tue May 02 17:16:01.171953 2023] [core:warn] [pid 10135] AH00117: Ignoring deprecated use of DefaultType in line 178 of /etc/apache2/apache2.conf.
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/default-ssl.conf:173
VirtualHost configuration:
127.0.0.1:80 127.0.0.1 (/etc/apache2/conf.d/status.conf:1)
*:80 is a NameVirtualHost
default server hesykhia2.gorgu.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost hesykhia2.gorgu.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost am.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/am.arts-et-metiers.asso.fr.conf:1)
port 80 namevhost emploi.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/ec:1)
alias dev-ec.soce.fr
alias emploi.arts-et-metiers.fr
port 80 namevhost www.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/soce:1)
alias www.soce.fr
alias soce.fr
alias arts-et-metiers.asso.fr
alias arts-et-metiers.fr
alias www.arts-et-metiers.fr
port 80 namevhost admin.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/soce-admin.conf:1)
alias admin.soce.fr
*:443 is a NameVirtualHost
default server am.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/am.arts-et-metiers.asso.fr-le-ssl.conf:2)
port 443 namevhost am.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/am.arts-et-metiers.asso.fr-le-ssl.conf:2)
port 443 namevhost hesykhia2.gorgu.net (/etc/apache2/sites-enabled/default-ssl.conf:10)
port 443 namevhost www.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/default-ssl.conf:187)
alias www.soce.fr
alias soce.fr
alias arts-et-metiers.asso.fr
alias arts-et-metiers.fr
alias www.arts-et-metiers.fr
alias prod.arts-et-metiers.fr
port 443 namevhost emploi.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/default-ssl.conf:302)
alias dev-ec.soce.fr
alias emploi.arts-et-metiers.fr
port 443 namevhost admin.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/soce-admin-le-ssl.conf:2)
alias admin.soce.fr
port 443 namevhost www.arts-et-metiers.asso.fr (/etc/apache2/sites-enabled/soce-le-ssl.conf:2)
alias www.soce.fr
alias soce.fr
alias arts-et-metiers.asso.fr
alias arts-et-metiers.fr
alias www.arts-et-metiers.fr

Notice in the error message above it shows the URL starting with HTTPS://

The HTTP request for the cert challenge is being redirected to HTTPS. And, you have overlapping hostnames and ports for HTTPS

Which of these VirtualHost config files is the correct one? You might also have general SSL config is the default-ssl.conf file as that is common. The prod.arts-et-metiers.fr is different between them is that a new name or an obsolete name?

3 Likes

Also, when selecting a cert for this domain:

You should include the base domain: "5,9"

Better yet, you should include all the names within the same vhost [in the same cert]:

"1,4,5,9,10,13"

3 Likes

I see now that there's troubling information indeed when it comes to these two sections of port 443 ::

port 443 namevhost [www.arts-et-metiers.asso.fr](http://www.arts-et-metiers.asso.fr/) (/etc/apache2/sites-enabled/default-ssl.conf:187)
alias [www.soce.fr](http://www.soce.fr/)
alias [soce.fr](http://soce.fr/)
alias [arts-et-metiers.asso.fr](http://arts-et-metiers.asso.fr/)
alias [arts-et-metiers.fr](http://arts-et-metiers.fr/)
alias [www.arts-et-metiers.fr](http://www.arts-et-metiers.fr/)
alias [prod.arts-et-metiers.fr](http://prod.arts-et-metiers.fr/)
port 443 namevhost [www.arts-et-metiers.asso.fr](http://www.arts-et-metiers.asso.fr/) (/etc/apache2/sites-enabled/soce-le-ssl.conf:2)
alias [www.soce.fr](http://www.soce.fr/)
alias [soce.fr](http://soce.fr/)
alias [arts-et-metiers.asso.fr](http://arts-et-metiers.asso.fr/)
alias [arts-et-metiers.fr](http://arts-et-metiers.fr/)
alias [www.arts-et-metiers.fr](http://www.arts-et-metiers.fr/)

Is this the overlap you were talking about?

I just took over this job and not sure which one is correct. Is there a way to find out for sure? and how to solve this issue in the end?

Here's my default-ssl.conf ::
# cat /etc/apache2/sites-enabled/default-ssl.conf

<IfModule mod_ssl.c>
#<VirtualHost _default_:443>

#############################
#                                                       #
#       Vhost SSL par default   #
#                                                       #
#############################

<VirtualHost *:443>
        Protocols h2 h2c http/1.1
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

    ServerSignature Off

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

        #   Server Certificate Chain:
        #   Point SSLCertificateChainFile at a file containing the
        #   concatenation of PEM encoded CA certificates which form the
        #   certificate chain for the server certificate. Alternatively
        #   the referenced file can be the same as SSLCertificateFile
        #   when the CA certificates are directly appended to the server
        #   certificate for convinience.
        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

        #   Certificate Authority (CA):
        #   Set the CA certificate verification path where to find CA
        #   certificates for client authentication or alternatively one
        #   huge file containing all of them (file must be PEM encoded)
        #   Note: Inside SSLCACertificatePath you need hash symlinks
        #         to point to the certificate files. Use the provided
        #         Makefile to update the hash symlinks after changes.
        #SSLCACertificatePath /etc/ssl/certs/
        #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

        #   Certificate Revocation Lists (CRL):
        #   Set the CA revocation path where to find CA CRLs for client
        #   authentication or alternatively one huge file containing all
        #   of them (file must be PEM encoded)
        #   Note: Inside SSLCARevocationPath you need hash symlinks
        #         to point to the certificate files. Use the provided
        #         Makefile to update the hash symlinks after changes.
        #SSLCARevocationPath /etc/apache2/ssl.crl/
        #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

        #   Client Authentication (Type):
        #   Client certificate verification type and depth.  Types are
        #   none, optional, require and optional_no_ca.  Depth is a
        #   number which specifies how deeply to verify the certificate
        #   issuer chain before deciding the certificate is not valid.
        #SSLVerifyClient require
        #SSLVerifyDepth  10

        #   Access Control:
        #   With SSLRequire you can do per-directory access control based
        #   on arbitrary complex boolean expressions containing server
        #   variable checks and other lookup directives.  The syntax is a
        #   mixture between C and Perl.  See the mod_ssl documentation
        #   for more details.
        #<Location />
        #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
        #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
        #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
        #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
        #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
        #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
        #</Location>

        #   SSL Engine Options:
        #   Set various options for the SSL engine.
        #   o FakeBasicAuth:
        #     Translate the client X.509 into a Basic Authorisation.  This means that
        #     the standard Auth/DBMAuth methods can be used for access control.  The
        #     user name is the `one line' version of the client's X.509 certificate.
        #     Note that no password is obtained from the user. Every entry in the user
        #     file needs this password: `xxj31ZMTZzkVA'.
        #   o ExportCertData:
        #     This exports two additional environment variables: SSL_CLIENT_CERT and
        #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
        #     server (always existing) and the client (only existing when client
        #     authentication is used). This can be used to import the certificates
        #     into CGI scripts.
        #   o StdEnvVars:
        #     This exports the standard SSL/TLS related `SSL_*' environment variables.
        #     Per default this exportation is switched off for performance reasons,
        #     because the extraction step is an expensive operation and is usually
        #     useless for serving static content. So one usually enables the
        #     exportation for CGI and SSI requests only.
        #   o StrictRequire:
        #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
        #     under a "Satisfy any" situation, i.e. when it applies access is denied
        #     and no other module can change it.
        #   o OptRenegotiate:
        #     This enables optimized SSL connection renegotiation handling when SSL
        #     directives are used in per-directory context.
        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        #   SSL Protocol Adjustments:
        #   The safe and default but still SSL/TLS standard compliant shutdown
        #   approach is that mod_ssl sends the close notify alert but doesn't wait for
        #   the close notify alert from client. When you need a different shutdown
        #   approach you can use one of the following variables:
        #   o ssl-unclean-shutdown:
        #     This forces an unclean shutdown when the connection is closed, i.e. no
        #     SSL close notify alert is send or allowed to received.  This violates
        #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
        #     this when you receive I/O errors because of the standard approach where
        #     mod_ssl sends the close notify alert.
        #   o ssl-accurate-shutdown:
        #     This forces an accurate shutdown when the connection is closed, i.e. a
        #     SSL close notify alert is send and mod_ssl waits for the close notify
        #     alert of the client. This is 100% SSL/TLS standard compliant, but in
        #     practice often causes hanging connections with brain-dead browsers. Use
        #     this only for browsers where you know that their SSL implementation
        #     works correctly.
        #   Notice: Most problems of broken clients are also related to the HTTP
        #   keep-alive facility, so you usually additionally want to disable
        #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
        #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
        #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
        #   "force-response-1.0" for this.
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        NameVirtualHost *:443

#       SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#    SSLProtocol All -SSLv2 -SSLv3
#    SSLHonorCipherOrder On

</VirtualHost>

#####################################
#                                                                       #
# VirtualHost pour le site SOCE.fr      #
#                                                                       #
#####################################

<VirtualHost *:443>
    Protocols h2 h2c http/1.1
        ServerAdmin support@gadz.org

    ServerName www.arts-et-metiers.asso.fr

    ServerAlias www.soce.fr soce.fr arts-et-metiers.asso.fr arts-et-metiers.fr www.arts-et-metiers.fr prod.arts-et-metiers.fr

    DocumentRoot /var/www/soce/web

    <Directory /var/www/soce/web>
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error-soce-ssl.log

    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access-soce-ssl.log combined

    ServerSignature Off

    Alias /sf /var/www/soce/symfony_embarque/data/web/sf

    SSLEngine on

#    SSLCertificateFile    /etc/ssl/certs/2_arts-et-metiers.asso.fr.crt
#    SSLCertificateKeyFile /etc/ssl/private/arts-et-metiers.asso.fr.private_without_pass.key

#    SSLCertificateChainFile /etc/ssl/certs/1_root_bundle.crt


#    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#SSLHonorCipherOrder On

#SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA



# Requires Apache >= 2.4.11
#SSLCompression off
#SSLUseStapling on
#SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
#SSLSessionTickets Off
#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
#Header always set X-Frame-Options DENY
#Header always set X-Content-Type-Options nosniff


        <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>


# PHP-FPM
<FilesMatch "\.php$">
        ProxyErrorOverride on
    SetHandler "proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost/"
</FilesMatch>
<Proxy "fcgi://localhost/">
        ProxySet timeout=3600
</Proxy>


#max_execution_time 600
#FcgidBusyTimeout 600
#FcgidIOTimeout 450



            BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


                #Old rules redirect base
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.arts-et-metiers.asso\.fr [NC]
    RewriteCond %{HTTP_HOST} !^$
        RewriteRule ^/(.*) https://www.arts-et-metiers.asso.fr/$1 [L,R=301]


 # If the php file doesn't exist, disable the proxy handler.
 # This will allow .htaccess rewrite rules to work and
 # the client will see the default 404 page of Apache
 RewriteCond %{REQUEST_FILENAME} \.php$
 RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-f
 RewriteRule (.*) - [H=text/html]


        #Rules de redirect pour intervention fermeture platal
       #RewriteEngine on
       #RewriteRule ^\/index.php/espaceMembre \/maintenance.html
       #RewriteRule ^\/index.php/adminMembres/index/id_user/* \/maintenance.html
       #RewriteRule ^\/index.php/bureau/sinscrire/id_manifestation/* \/maintenance.html
       #RewriteRule ^\/user/inscriptionEleve \/maintenance.html
       #RewriteRule ^\/index.php/adminMembres/updatenewuser \/maintenance.html
       #RewriteRule ^\/index.php/adminMembres/createuser \/maintenance.html

                Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/emploi.arts-et-metiers.asso.fr-0001/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/emploi.arts-et-metiers.asso.fr-0001/privkey.pem
</VirtualHost>

#####################################
#                                                                       #
# VirtualHost pour le site emploi       #
#                                                                       #
#####################################

<VirtualHost *:443>
        Protocols h2 h2c http/1.1
    ServerAdmin support@gadz.org
    ServerName emploi.arts-et-metiers.asso.fr
    ServerAlias dev-ec.soce.fr emploi.arts-et-metiers.fr
    DocumentRoot /var/www/ec/web
    ErrorLog /var/log/apache2/error-ec-ssl.log
    LogLevel warn
    CustomLog /var/log/apache2/access-ec-ssl.log combined
    ServerSignature Off
#    php_flag register_globals On

    <Directory /var/www/ec/web/admin/>
        AuthUserFile /var/www/ec/liste.users
        AuthGroupFile /dev/null
        AuthName "Acces reserve SOCE EC ADMIN"
        AuthType Basic
        require valid-user
    </Directory>

    SSLEngine on

#    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#    SSLHonorCipherOrder On

#SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA


#SSLCertificateFile    /etc/ssl/certs/2_arts-et-metiers.asso.fr.crt
#SSLCertificateKeyFile /etc/ssl/private/arts-et-metiers.asso.fr.private_without_pass.key
#SSLCertificateChainFile /etc/ssl/certs/1_root_bundle.crt



 # PHP-FPM
 <FilesMatch "\.php$">
        ProxyErrorOverride on
     SetHandler "proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost/"
 </FilesMatch>
 <Proxy "fcgi://localhost/">
        ProxySet timeout=1200
 </Proxy>


RewriteEngine on

#   RewriteCond %{HTTP_HOST} !^emploi\.arts-et-metiers\.asso\.fr [NC]
#   RewriteCond %{HTTP_HOST} !^$
#   RewriteRule ^/(.*) https://emploi.arts-et-metiers.asso.fr/$1 [L,R=301]

RewriteRule ^\/(recherches)_([0-9]*)_(and|or|phrase)_([0-9]*)_([0-9]*)_([0-9]*)_?([0-9]*)_(.*)\.htm$ \/index.php?rub=$1&query=$8&results=$2&type=$3&category=$4&date_deb=$5&date_fin=$6&start=$7&search=1 [L]
RewriteRule ^\/contacts\.htm$ \/index.php?rub=contacts [L]
    RewriteRule ^\/offre_ficher_add\.htm$ \/index.php?rub=offre_fichier_add [L]
    RewriteRule ^\/plan\.htm$ \/index.php?rub=plan_site [L]
    RewriteRule ^\/mentions_legales\.htm$ \/index.php?rub=mentions_legales [L]
    RewriteRule ^\/(cvs)_([a-z]+)_([12]{1})_?([0-9]*)\.htm$ \/index.php?rub=$1&action=$2&type_cv=$3&id=$4 [L]
    RewriteRule ^\/consultation_offre_?(e)?_([0-9]+)\.htm$ \/index.php?rub=offres_consult&table=$1&id=$2 [L]
    RewriteRule ^\/(inscrit_panier)_([0-9]*)\.htm$ \/index.php?rub=$1&id=$2 [L]
    RewriteRule ^\/(motiv)_([a-z]+)_?([0-9]*)\.htm$ \/index.php?rub=$1&action=$2&id=$3 [L]
    RewriteRule ^\/(offres)_([a-z]+)_?([0-9]*)\.htm$ \/index.php?rub=$1&action=$2&id=$3 [L]
    RewriteRule ^\/consultation_cv_([0-9]+)\.htm$ \/index.php?rub=cvs_consult&id=$1 [L]
    RewriteRule ^\/(recruteur_panier)_([0-9]*)\.htm$ \/index.php?rub=$1&id=$2 [L]
    RewriteRule ^\/(alertes|mes_recherches)_([a-z]+)_?([0-9]*)\.htm$ \/index.php?rub=$1&action=$2&num=$3 [L]
    RewriteRule ^\/([a-z_]+)(\.htm){1}$ \/index.php?rub=$1 [L]


 # If the php file doesn't exist, disable the proxy handler.
 # This will allow .htaccess rewrite rules to work and
 # the client will see the default 404 page of Apache
 RewriteCond %{REQUEST_FILENAME} \.php$
 RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-f
 RewriteRule (.*) - [H=text/html]


    <Directory /var/www/ec/web/>
        AllowOverride All
    </Directory>

            Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/emploi.arts-et-metiers.asso.fr-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/emploi.arts-et-metiers.asso.fr-0001/privkey.pem
</VirtualHost>

</IfModule>

I was actually doing them one by one.
Most succeeded. Only 2 failed : numbers 9 and 13. Both with error 404 asking me to change my DNS record.
But nothing changed since last time it worked and I'm confused as to why this failure now.
Thanks for the help

You won't be able to insert more than one single cert in one single vhost file.
So, stop doing them one by one - all those single certs will go to waste.

3 Likes

Compare the files.
See what they do.
Pick the one that isn't the default.
And fix the default, so that it doesn't conflict with the other.

Work never ends - LOL
There is no permanent haircut.
Hair will grow, and you will need to cut it again ... and again ...
After each additional domain is inserted, run:
apachectl -t -D DUMP_VHOSTS
and verify that there are no duplicate name:port entries.
Unfortunately, Apache will NOT do this for you.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.