SSL not working with "www" prefix


#1

My website is working for “jasonmirra.com” but is not working for “www.jasonmirra.com” even though the certificate I’m using specified both domains. What am I doing wrong?

My domain is: jasonmirra.com AND www.jasonmirra.com

I ran this command: sudo certbot certonly --standalone -d jasonmirra.com -d www.jasonmirra.com

It produced this output:

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for jasonmirra.com
http-01 challenge for www.jasonmirra.com
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/jasonmirra.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/jasonmirra.com/privkey.pem
    Your cert will expire on 2018-09-16. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

My web server is (include version): Custom java webserver

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi mirraj2

the tls-sni-01 - challenge is outdated. So use the http-01 - challenge with both domains.

https://crt.sh/?id=535280948

shows both names.

X509v3 Subject Alternative Name:
DNS:jasonmirra.com
DNS:www.jasonmirra.com

So it looks like a local problem.


#3

PS: I can’t open one of your pages

http://jasonmirra.com/
https://jasonmirra.com/
http://www.jasonmirra.com/
https://www.jasonmirra.com/

4 * “no connection”.


#4

Does your Java webserver directly use /etc/letsencrypt/live/jasonmirra.com/fullchain.pem in its configuration, or did you have another step to import that PEM certificate into a JKS file or another kind of certificate representation that the webserver uses? In the latter case, you’ll have to repeat that import step every time your certificate or private key changes.


#5

Ah, I think schoen figured it out. I forgot to re-import into the JKS file. I’ll try that when I get to my laptop and update this thread. Thanks


#6

Its working now, thanks! I had to re-create the JKS file after expanding the certificate - silly me

Cheers


#7

You may want to look at automating this process (for example with Certbot’s --deploy-hook feature) because the JKS file will also need to be recreated every time the certificate is renewed, even if the domain name coverage doesn’t change. Let’s Encrypt certificates are only valid for 90 days, so renewal is a frequent occurrence!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.