SSL for masked redirected domain name?

ndeubert · April 22, 2024, 3:17pm

I filled out the questionnaire below but first let me explain my setup. I run apache2 on an Ubuntu server. I run my primary website on port 80/443 and have my domain name (nickdeubert.com), that is encrypted with lets encrypt, that directly goes to it. That all works perfectly.

Now I am running a second site (wendydeubert.com) with a masked domain name that redirects to the site hosted on the same server. I've tried running this site on a different port through apache's configuration (http://nickdeubert.com:446/) or also as a subdirectory of the first site (https://nickdeubert.com/wendy/). The redirect for the site all works exactly like I want, but chrome shows the second site as "Not Secure". I've tried running certbot with apache and webroot for the second site but it always fails. Is there a way to make this work? Do I need to add the second domain to the cert for the first? Is there files I need to include in my webroot? Thanks

I am using namecheap.com and redirecting like this for the second site:

My domain is:
wendydeubert.com
nickdeubert.com

I ran this command and it produced this output::
$ sudo certbot certonly --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): wendydeubert.com
Requesting a certificate for wendydeubert.com
Input the webroot for wendydeubert.com: (Enter 'c' to cancel): /home/www/htdocs/wendy/

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: wendydeubert.com
Type: unauthorized
Detail: 192.64.119.206: Invalid response from http://wendydeubert.com/.well-known/acme-challenge/EXNqE21Br1Y4SWIvFYi5FiuCEuV6ZyEK-82G2ZzKDTo: "\n\n \n "

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Also tried:
$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: nickdeubert.com
2: www.nickdeubert.com
3: wendydeubert.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 3
Requesting a certificate for wendydeubert.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: wendydeubert.com
Type: unauthorized
Detail: 192.64.119.167: Invalid response from http://wendydeubert.com/.well-known/acme-challenge/2phhEYybRUv7E4W7TrFCfyllKhTf44cCHQKoFzO2QJE: "\n\n \n "

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): apache 2.4.52

The operating system my web server runs on is (include version): Ubuntu 22.04.4

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.10.0

rg305 · April 22, 2024, 3:20pm

Hi @ndeubert, and welcome to the LE community forum

As with all things Apache, I like to start with the output of:
sudo apachectl -t -D DUMP_VHOSTS

Osiris · April 22, 2024, 6:14pm

This is problematic. As that Namecheap URL forward service uses a HTML <frameset> to mask the destination URL, you are effectively not in controle of the domain name and thus cannot get a certificate for that domain. Only DNS level (NS/CNAME RR) or HTTP level (Location header) redirects are possible.

Why are you using this Namecheap URL forward/masked domain name service to begin with? Why not simply point the domain name to your IP address directly?

Also, that Namecheap URL forwarder does not respond on HTTPS port 443, so even if you managed to somehow get a certificate, it wouldn't help at all. I'm puzzled why that Namecheap URL forwarder still even exists today..

ndeubert · April 22, 2024, 6:48pm

@rg305

VirtualHost configuration:
*:80                   nick.com (/etc/apache2/sites-enabled/nick.com.conf:1)
*:443                  nick.com (/etc/apache2/sites-enabled/nick.com.conf:12)
*:446                  wendy.com (/etc/apache2/sites-enabled/wendy.com.conf:1)

@Osiris maybe I am misunderstanding something, but I already have my first domain name pointed at my server/ip (both websites are on the same server), so I didn't think there was a way to point the second domain name to the same server but a different port. If the issue is with Namecheap, is there a different URL forwarding service you recommend that will allow me to do this? Thank you.

rg305 · April 22, 2024, 6:49pm

Where is Wendy's HTTP vhost config file?

ndeubert · April 22, 2024, 6:52pm

@rg305

~$ cat /etc/apache2/sites-available/wendy.com.conf
<VirtualHost *:446>
        ServerAdmin webmaster@localhost
    ServerName wendy.com
        DocumentRoot /home/www/htdocs/wendy
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /home/www/wendy>
                Options FollowSymLinks
                AllowOverride None
                Order allow,deny
                allow from all
                HeaderName /header.php
                IndexOptions SuppressHTMLPreamble FancyIndexing
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Osiris · April 22, 2024, 6:56pm

Why run it on a different port to begin with?

For HTTP the browser sends the hostname in the Host header, so the webservers can serve multiple websites (for different domain names) on the same IP address and the same port. This is called a "virtual host".

For HTTPS the Host header would be problematic, because it would be encrypted and to be encrypted, a certificate needs to be chosen first. Luckily the TLS protocol (or SSL if you prefer the older name) has the Server Name Indication (SNI) extension which adds the hostname to the first TLS packet. So the webserver can choose the certificate based on that SNI hostname thus breaking the earlier mentioned "catch 22".

Only very ancient webbrowsers don't support SNI. Nowadays it's assumed to be supported.

So I'm having trouble understanding why you would require a separate port.

I would not recommend ANY URL forwarding service. That's something of 1990 when I was growing up. It should have died a painful death years ago. It does not serve any practical purpose any longer.

rg305 · April 22, 2024, 6:59pm

I must agree.
There is no need to separate similar vhosts by port.

I'd change the :446 to :80 and go from there.

ndeubert · April 22, 2024, 7:01pm

I don't require a different port for any reason. I realize now I just don't have my virtual host setup correctly then. Let me try and correct that. Thank you.