SSL Sub Domain?

Lyvondria · August 23, 2016, 8:02am

Hello,

I have a setup the SSL Certificate for apache2 with Lets Encrypt using Certbot. It works with my main domain. Does it inclucde automaticly sub domains too? Like “https://forum.xxxxx.de”? Or do I have to setup the DNS from the Domain? Because I setup it for “xxxx.de” and not for “forum.xxxx.de”…

Can someone help me maybe? I added an “A” Record for “forum.xxxx.de”.

serverco · August 23, 2016, 8:51am

No.

You need to obtain validation for every domain / subdomain you require.

exactly how you do this depends on what you want to achieve. Do you want a single certificate for xxxx.de and forum.xxxx.de ? or do you want separate certificates, one for xxxx.de and another for forum.xxxx.de ?

Lyvondria · August 23, 2016, 9:02am

I just did this: “certbot --apache -d forum.xxxx.de” and it worked. The only thing is now. This forum is from woltlab. When I go to “https://forum.xxx.de” its not green:

BUT when I go to the Admin Panel of Woltlab, its green somehow… Idk why.

Whats the problem? The Admin Panel path is: “https://forum.xxx.de/acp/”

Why is it green in ACP but not in the main forum?

serverco · August 23, 2016, 9:09am

It’s not green because you load images etc via http - which isn’t secure.

see https://www.whynopadlock.com/

Insecure URL: http://fs5.directupload.net/images/160226/le9cvo28.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639

Insecure URL: http://fs5.directupload.net/images/160724/8id9pgxh.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639

Insecure URL: http://www.hdwallpapers.in/walls/tom_clancys_the_division-wide.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639

Insecure URL: http://fs5.directupload.net/images/160724/pvrpeuvd.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639

Insecure URL: http://fs5.directupload.net/images/160724/6g5fg4sv.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639

Lyvondria · August 23, 2016, 9:10am

Ah yea i see this. I uploaded it now to “https://wintex-sports.de/bilder/” but when you go to this URL, its unsecure? I dont get it…

Do I have to to this step again?

“certbot --apache -d wintex-sports.de/bilder”?

serverco · August 23, 2016, 9:14am

Your certificate is fine ( you do not need to renew it )

In the code on your page, in your style sheets, you include images which are loaded over http not https

If your page includes images ( or other content ) loaded over http, this is considered insecure - hence you do not get a green lock. You need to change your code to include the images over https, not http.

Lyvondria · August 23, 2016, 9:24am

Ah okey. Thanks then. But why is this unsecure then? “https://wintex-sports.de/bilder/”

serverco · August 23, 2016, 9:29am

https://wintex-sports.de/bilder/ is “insecure” because you are using the certificate for “forum.wintex-sports.de” hence the certificate does not match the domain name - and is therefore not valid / secure.

This goes back to my initial comment “Do you want a single certificate for xxxx.de and forum.xxxx.de ? or do you want separate certificates, one for xxxx.de and another for forum.xxxx.de ?” since the names need to match.

Lyvondria · August 23, 2016, 9:33am

I want it for all and the domain. So If i create a folder called “https://wintex-sports.de/download” it also should say its secure.

I added an A record to “wintex-sports.de” and also with the same IP to “forum.wintex-sports.de”. If you go to “wintex-sports.de” you will get redirected to “forum.wintex-sports.de”.

serverco · August 23, 2016, 10:05am

OK, you need to obtain a single certificate for wintex-sports.de and forum.wintex-sports.de then. Once you have done that, everything should work correctly ( as long as you load all images etc using https not http )

Lyvondria · August 23, 2016, 10:09am

And how do I do this?

“certbot --apache -d wintex-sports.de -d forum.wintex-sports.de”

Like this?

serverco · August 23, 2016, 10:14am

Yes, if you were starting from scratch.

As you already have a certificate ( did you just get the one ? or did you also create one for the main domain ? ) I would suggest using the --expand option to include the additional domain name.

Lyvondria · August 23, 2016, 10:16am

First, I did this: “certbot --apache” then i typed in my Domain at the installer instruction. Then I did this:

“certbot --apache -d forum.wintex-sports.de”

serverco · August 23, 2016, 10:20am

I personally don’t use certbot - perhaps @pfg or someone can help out more fully from the position you are at now.

Lyvondria · August 23, 2016, 10:21am

Well, I think i have 2 certificates now.

But only one is active I think. I want it for both… forum.wintex-sports.de and wintex-sports.de

You know to do it?

Lyvondria · August 23, 2016, 10:24am

Well, thanks anyway! I used --expand and it works now! thank you so much for your help

Lyvondria · August 23, 2016, 10:29am

The only thing is now, the https://www.whynopadlock.com/ site says all is fine but the lock is still not green ;(

serverco · August 23, 2016, 10:33am

https://forum.wintex-sports.de is green for me.

I’d guess the difference is probably that you are logged in, and there are some images or something once logged in which are not loaded via https.

Lyvondria · August 23, 2016, 10:38am

Ah I see… I found the images…Well, its for everyone different then… Because if u use a signature without https, it will not green lock… Because every user uses different links to the signature…

cool110 · August 23, 2016, 10:56am

With forums you have to either accept that mixed content is inevitable or block insecure images. You could do this by setting a CSP with the upgrade-insecure-requests and block-all-mixed-content directives set, but consider the inconvenience to users.