SSL not working with www or ServerAlias

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: zerokatta.in

I ran this command: certbot & certbot --apache -d www.zerokatta.in -d zerokatta.in

It produced this output:
Before adding www as a record in Route 53 (Command - certbot)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): tech@zerokaata.com


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?


(Y)es/(N)o: Y


Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: Y
Account registered.

Which names would you like to activate HTTPS for?


1: zerokatta.in
2: www.zerokatta.in


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for zerokatta.in and www.zerokatta.in
Performing the following challenges:
http-01 challenge for www.zerokatta.in
http-01 challenge for zerokatta.in
Waiting for verification...
Challenge failed for domain www.zerokatta.in
http-01 challenge for www.zerokatta.in
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.zerokatta.in
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for www.zerokatta.in -
    check that a DNS record exists for this domain; DNS problem:
    NXDOMAIN looking up AAAA for www.zerokatta.in - check that a DNS
    record exists for this domain

After adding www as a record in Route 53 (Command - certbot)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: zerokatta.in
2: www.zerokatta.in


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for zerokatta.in and www.zerokatta.in
Performing the following challenges:
http-01 challenge for www.zerokatta.in
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/zerokatta.in-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/zerokatta.in-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/zerokatta.in-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/zerokatta.in.conf to ssl vhost in /etc/httpd/conf.d/zerokatta.in-le-ssl.conf


Congratulations! You have successfully enabled https://zerokatta.in and
https://www.zerokatta.in


Subscribe to the EFF mailing list (email: tech@zerokaata.com).
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/zerokatta.in/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/zerokatta.in/privkey.pem
    Your certificate will expire on 2022-08-10. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again with the "certonly" option. To non-interactively
    renew all of your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Tried again with this Command - (certbot --apache -d www.zerokatta.in -d zerokatta.in)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/zerokatta.in.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for www.zerokatta.in and zerokatta.in
Deploying Certificate to VirtualHost /etc/httpd/conf.d/zerokatta.in-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/zerokatta.in-le-ssl.conf
Enhancement redirect was already set.
Enhancement redirect was already set.


Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://www.zerokatta.in and
https://zerokatta.in


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/zerokatta.in/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/zerokatta.in/privkey.pem
    Your certificate will expire on 2022-08-10. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again with the "certonly" option. To non-interactively
    renew all of your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

My web server is (include version): Server version: Apache/2.4.53 () Server built: Apr 12 2022 12:00:44

The operating system my web server runs on is (include version): Amazon Linux 2

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

I had ran the following command to install certbot -
amazon-linux-extras install epel -y
yum-config-manager --enable epel*
yum install mod_ssl -y
systemctl restart httpd
yum install certbot-apache -y
certbot

Following is the host file - /etc/httpd/conf.d/zerokatta.in.conf
Before -
<VirtualHost *:80>
ServerName zerokatta.in
ServerAlias www.zerokatta.in
DocumentRoot /var/www/html/

After installing SSL -
<VirtualHost *:80>
ServerName zerokatta.in
ServerAlias www.zerokatta.in
DocumentRoot /var/www/html/
RewriteEngine on
RewriteCond %{SERVER_NAME} =zerokatta.in [OR]
RewriteCond %{SERVER_NAME} =www.zerokatta.in
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

My issue is SSL is working fine without www - https://zerokatta.in/ but showing error in www subdomain - https://www.zerokatta.in/

You can check here too -
With www - https://www.whynopadlock.com/results/eba26615-3313-44c6-9365-1561a361b125
Without www - https://www.whynopadlock.com/results/8124cbb8-78a7-4008-8a04-2e04460a021a

Let's see what mischief Apache has gotten into, with:
apachectl -t -D DUMP_VHOSTS

2 Likes

Thank you so much for the response @rg305.

As I had applied for a lot of certificates and the limit was reached so I had to change the domain to zerokatta.com from zerokatta.in

So, I would like to update a few things here

My domain is: zerokatta.com
I ran this command: certbot
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: zerokatta.com
2: www.zerokatta.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for zerokatta.com and www.zerokatta.com
Performing the following challenges:
http-01 challenge for www.zerokatta.com
http-01 challenge for zerokatta.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/zerokatta.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/zerokatta.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/zerokatta.com-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/zerokatta.com.conf to ssl vhost in /etc/httpd/conf.d/zerokatta.com-le-ssl.conf


Congratulations! You have successfully enabled https://zerokatta.com and
https://www.zerokatta.com


Subscribe to the EFF mailing list (email: tech@zerokaata.com).
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/zerokatta.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/zerokatta.com/privkey.pem
    Your certificate will expire on 2022-08-11. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again with the "certonly" option. To non-interactively
    renew all of your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Following is the host file - /etc/httpd/conf.d/zerokatta.com.conf
Before -

<VirtualHost *:80>
ServerName "www.zerokatta.com"
ServerAlias "zerokatta.com"
DocumentRoot "/var/www/html"
</VirtualHost>

After installing SSL -

<VirtualHost *:80>
ServerName "www.zerokatta.com"
ServerAlias "zerokatta.com"
DocumentRoot "/var/www/html"
RewriteEngine on
RewriteCond %{SERVER_NAME} =zerokatta.com [OR]
RewriteCond %{SERVER_NAME} =www.zerokatta.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

I am not sure how, but the SSL was working fine for the domain https://zerokatta.com/ till yesterday and it is not working today.

However, the issue with https://www.zerokatta.com/ is the same.

Screenshot 2022-05-14 at 1.33.31 PM

It is showing the following error and the issuer is the FQDN

The output for - apachectl -t -D DUMP_VHOSTS

AH00526: Syntax error on line 7 of /etc/httpd/conf.d/zerokatta.com-le-ssl.conf:

SSLCertificateFile: file '/etc/letsencrypt/live/www.zerokatta.com/fullchain.pem' does not exist or is empty

and the output for - sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server www.zerokatta.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost www.zerokatta.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost www.zerokatta.com (/etc/httpd/conf.d/zerokatta.com-le-ssl.conf:2)
                 alias zerokatta.com
*:80                   www.zerokatta.com (/etc/httpd/conf.d/zerokatta.com.conf:1)

This is the contents of the file - zerokatta.com-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName "www.zerokatta.com"
ServerAlias "zerokatta.com"
DocumentRoot "/var/www/html"
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.zerokatta.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.zerokatta.com/privkey.pem
</VirtualHost>
</IfModule>

and following are the contents of /etc/letsencrypt/live/www.zerokatta.com/fullchain.pem

-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgISA5wBEgsbHMJYn8BOoRwWrURRMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA1MTMxMjI0MjJaFw0yMjA4MTExMjI0MjFaMBwxGjAYBgNVBAMT
EXd3dy56ZXJva2F0dGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAzrJijdH0vbdt2e50QjXrBN1KUFie+BpUVKxrC8y6i+7NJQwGOusuX+x0kjO9
1nY0SNLA0H0vctKrMK4jTC6U9TRz/2060j7TiAvJEpatgSKZuVg2m4O2kEuPxfnJ
oRKMwSvYv7l7RnHVXKhlD5eloOChUnLspVnbBW2lB1NUdT7hKYt1XAuLz2aJIvzj
AipVurnm4c/pMrJEFeop3zk9jiktViOi4fYHtKHewoiTtcDR/G3b86GvUlFr/N1/
Dbh9EzJOU1UmS15EacVhhAf1QqbPLkNSiKpPE9A1i+i4DpdapfT8g1xknbnUr3nk
9z2WyHRcTEVjBrSTThSVeO07CwIDAQABo4ICSzCCAkcwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQolgkfVnPI508eq2B+yapFRjKx9TAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAcBgNVHREEFTATghF3d3cuemVyb2thdHRhLmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AN+lXqto
gk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgL2XemEAAAQDAEcwRQIhAOv5
VMioy6UocIEMAv2Ks5MtWibAqmMocXVb52GR4WIFAiB2F00k+4CNCORJpUOCukNv
+cZiGyhTQTioiFnNcdBp5gB1ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwl
XceEAAABgL2XelQAAAQDAEYwRAIgLB/CXxcyriL9BR4602CAXNC2NSvBCR8i8UwU
4RKRGOoCIDEJf3uDnCy49dnzYIUX5APUSHpWhzrM957qxDWwhrILMA0GCSqGSIb3
DQEBCwUAA4IBAQBcQkzN3i/YD74htLpHUlLDwzR2U3D+52k69l545CT3choKv9qE
S+OQWWV5M4RtQC4RLrlRvc9P2zmHsmJ6VZvnCNVdeOpOOQ6ufSKMCMR6qIGM/KXh
AY7ATLID89q2AlCugkYS010AgYShkbHbHp7M/cvu8XM0pEWyKvMX1hfsecWmCZ91
XBKFpJg4u/68MvFNPRzcSeulVpFA6LFM+ZRjRmZLIWXG7kwt+AKMEPXCVdeI6mup
r6QDBrYa+uk+5ezuSssG19tWYZsRRWrklwpgk7eSWoFf9s9FLG9p53TK6pro9U0u
BfYfYEDR5BLuL4uSr8cx/kVSW9Pc9YvDEDge
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

I tried something

If I change the ServerName (in this file /etc/httpd/conf/httpd.conf) from www.zerokatta.com to zerokatta.com the www domain with HTTPS (https://www.zerokatta.com/) works and the non www domain with the https (https://zerokatta.com/) doesn't work and shows the same error which it was showing for www domain (https://www.zerokatta.com/)

Also when I change ServerName in httpd.conf the output for sudo apachectl -t -D DUMP_VHOSTS changes to

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server zerokatta.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost zerokatta.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost www.zerokatta.com (/etc/httpd/conf.d/zerokatta.com-le-ssl.conf:2)
                 alias zerokatta.com
*:80                   www.zerokatta.com (/etc/httpd/conf.d/zerokatta.com.conf:1)

There is an name:port overlap.
The same name is being used by two different config files.
Without seeing the files, I would guess that the simplest solution is to change the name use in the file:
/etc/httpd/conf.d/ssl.conf
to something that would never be used by you.
Like:
ServerName localserver
Some might suggest to simply remove the file, but sometimes there might exist settings within it that are needed.

Then restart the web server and you should be good to go.

3 Likes

Thank you for the response

Following are the content of /etc/httpd/conf.d/ssl.conf

#
# When we also provide SSL we have to listen to the 
# the HTTPS port in addition.
#
Listen 443 https

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly. 
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName localserver

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv3

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

#   Speed-optimized SSL Cipher configuration:
#   If speed is your main concern (on busy HTTPS servers e.g.),
#   you might want to force clients to specific, performance
#   optimized ciphers. In this case, prepend those ciphers
#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
#   (as in the example below), most connections will no longer
#   have perfect forward secrecy - if the server's key is
#   compromised, captures of past or future traffic must be
#   considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on 

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context. 
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly. 
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

If I uncomment the

ServerName localserver

and restart the server/apache the output for sudo apachectl -t -D DUMP_VHOSTS changes to the following

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server localserver (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost localserver (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost www.zerokatta.com (/etc/httpd/conf.d/zerokatta.com-le-ssl.conf:2)
                 alias zerokatta.com
*:80                   www.zerokatta.com (/etc/httpd/conf.d/zerokatta.com.conf:1)

I get a Certificate Common name invalid error. on https://zerokatta.com

Do you have any idea what caused this file to show up? Because two different config files I didn't create.

As I had installed using the following command in EC2

sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*
sudo amazon-linux-extras install epel -y
sudo yum install mod_ssl -y
sudo systemctl restart httpd
sudo yum install -y certbot python2-certbot-apache
1 Like

A post was split to a new topic: SSL not working

I am not sure how but, the error got solved. I ran the following command

certbot --apache

and renewed the certificate it produced the following output

[root@localhost ~]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: zerokatta.com
2: www.zerokatta.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/zerokatta.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for zerokatta.com and www.zerokatta.com
Deploying Certificate to VirtualHost /etc/httpd/conf.d/zerokatta.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/zerokatta.com-le-ssl.conf
Enhancement redirect was already set.
Enhancement redirect was already set.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://zerokatta.com and
https://www.zerokatta.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zerokatta.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/zerokatta.com/privkey.pem
   Your certificate will expire on 2022-08-14. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I would update if I find anything, as it might help someone with the same issue.

In this file:

Uncomment this line:

Then restart the web server.

1 Like

Please show:
certbot certificates

2 Likes

I am really sorry, that was on a test server and the all domains used to get some traffic so I couldn't keep it for long, but I tested again with another domain and your solution was correct.

The catch here is if you haven't installed the certificates and change the ServerName in the file /etc/httpd/conf.d/ssl.conf beforehand then you won't face any issue, else you would have to renew the certificate.

Thank you so much for the help @rg305, Means a lot.

1 Like