SSL Sub Domain?


#1

Hello,

I have a setup the SSL Certificate for apache2 with Lets Encrypt using Certbot. It works with my main domain. Does it inclucde automaticly sub domains too? Like “https://forum.xxxxx.de”? Or do I have to setup the DNS from the Domain? Because I setup it for “xxxx.de” and not for “forum.xxxx.de”…

Can someone help me maybe? I added an “A” Record for “forum.xxxx.de”.


#2

No.

You need to obtain validation for every domain / subdomain you require.

exactly how you do this depends on what you want to achieve. Do you want a single certificate for xxxx.de and forum.xxxx.de ? or do you want separate certificates, one for xxxx.de and another for forum.xxxx.de ?


#3

I just did this: “certbot --apache -d forum.xxxx.de” and it worked. The only thing is now. This forum is from woltlab. When I go to “https://forum.xxx.de” its not green:

BUT when I go to the Admin Panel of Woltlab, its green somehow… Idk why.

Whats the problem? The Admin Panel path is: “https://forum.xxx.de/acp/

Why is it green in ACP but not in the main forum?


#4

It’s not green because you load images etc via http - which isn’t secure.

see https://www.whynopadlock.com/

Insecure URL: http://fs5.directupload.net/images/160226/le9cvo28.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639

Insecure URL: http://fs5.directupload.net/images/160724/8id9pgxh.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639

Insecure URL: http://www.hdwallpapers.in/walls/tom_clancys_the_division-wide.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639

Insecure URL: http://fs5.directupload.net/images/160724/pvrpeuvd.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639

Insecure URL: http://fs5.directupload.net/images/160724/6g5fg4sv.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639

#5

Ah yea i see this. I uploaded it now to “https://wintex-sports.de/bilder/” but when you go to this URL, its unsecure? I dont get it…

Do I have to to this step again?

“certbot --apache -d wintex-sports.de/bilder”?


#6

Your certificate is fine ( you do not need to renew it )

In the code on your page, in your style sheets, you include images which are loaded over http not https

If your page includes images ( or other content ) loaded over http, this is considered insecure - hence you do not get a green lock. You need to change your code to include the images over https, not http.


#7

Ah okey. Thanks then. But why is this unsecure then? “https://wintex-sports.de/bilder/


#8

https://wintex-sports.de/bilder/ is “insecure” because you are using the certificate for “forum.wintex-sports.de” hence the certificate does not match the domain name - and is therefore not valid / secure.

This goes back to my initial comment “Do you want a single certificate for xxxx.de and forum.xxxx.de ? or do you want separate certificates, one for xxxx.de and another for forum.xxxx.de ?” since the names need to match.


#9

I want it for all and the domain. So If i create a folder called “https://wintex-sports.de/download” it also should say its secure.

I added an A record to “wintex-sports.de” and also with the same IP to “forum.wintex-sports.de”. If you go to “wintex-sports.de” you will get redirected to “forum.wintex-sports.de”.


#10

OK, you need to obtain a single certificate for wintex-sports.de and forum.wintex-sports.de then. Once you have done that, everything should work correctly ( as long as you load all images etc using https not http )


#11

And how do I do this?

“certbot --apache -d wintex-sports.de -d forum.wintex-sports.de

Like this?


#12

Yes, if you were starting from scratch.

As you already have a certificate ( did you just get the one ? or did you also create one for the main domain ? ) I would suggest using the --expand option to include the additional domain name.


#13

First, I did this: “certbot --apache” then i typed in my Domain at the installer instruction. Then I did this:

“certbot --apache -d forum.wintex-sports.de


#14

I personally don’t use certbot - perhaps @pfg or someone can help out more fully from the position you are at now.


#15

Well, I think i have 2 certificates now.

But only one is active I think. I want it for both… forum.wintex-sports.de and wintex-sports.de

You know to do it?


#16

Well, thanks anyway! I used --expand and it works now! thank you so much for your help :slight_smile:


#17

The only thing is now, the https://www.whynopadlock.com/ site says all is fine but the lock is still not green ;(


#18

https://forum.wintex-sports.de is green for me.

I’d guess the difference is probably that you are logged in, and there are some images or something once logged in which are not loaded via https.


#19

Ah I see… I found the images…Well, its for everyone different then… Because if u use a signature without https, it will not green lock… Because every user uses different links to the signature… :confused:


#20

With forums you have to either accept that mixed content is inevitable or block insecure images. You could do this by setting a CSP with the upgrade-insecure-requests and block-all-mixed-content directives set, but consider the inconvenience to users.