Hello,
I have a setup the SSL Certificate for apache2 with Lets Encrypt using Certbot. It works with my main domain. Does it inclucde automaticly sub domains too? Like “https://forum.xxxxx.de”? Or do I have to setup the DNS from the Domain? Because I setup it for “xxxx.de” and not for “forum.xxxx.de”…
Can someone help me maybe? I added an “A” Record for “forum.xxxx.de”.
No.
You need to obtain validation for every domain / subdomain you require.
exactly how you do this depends on what you want to achieve. Do you want a single certificate for xxxx.de and forum.xxxx.de ? or do you want separate certificates, one for xxxx.de and another for forum.xxxx.de ?
I just did this: “certbot --apache -d forum.xxxx.de” and it worked. The only thing is now. This forum is from woltlab. When I go to “https://forum.xxx.de” its not green:
BUT when I go to the Admin Panel of Woltlab, its green somehow… Idk why.
Whats the problem? The Admin Panel path is: “https://forum.xxx.de/acp/”
Why is it green in ACP but not in the main forum?
It’s not green because you load images etc via http - which isn’t secure.
see https://www.whynopadlock.com/
Insecure URL: http://fs5.directupload.net/images/160226/le9cvo28.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639
Insecure URL: http://fs5.directupload.net/images/160724/8id9pgxh.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639
Insecure URL: http://www.hdwallpapers.in/walls/tom_clancys_the_division-wide.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639
Insecure URL: http://fs5.directupload.net/images/160724/pvrpeuvd.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639
Insecure URL: http://fs5.directupload.net/images/160724/6g5fg4sv.jpg
Found in: https://forum.wintex-sports.de/wcf/style/style-6.css?m=1471941639
Ah yea i see this. I uploaded it now to “https://wintex-sports.de/bilder/” but when you go to this URL, its unsecure? I dont get it…
Do I have to to this step again?
“certbot --apache -d wintex-sports.de/bilder”?
Your certificate is fine ( you do not need to renew it )
In the code on your page, in your style sheets, you include images which are loaded over http not https
If your page includes images ( or other content ) loaded over http, this is considered insecure - hence you do not get a green lock. You need to change your code to include the images over https, not http.
Ah okey. Thanks then. But why is this unsecure then? “https://wintex-sports.de/bilder/”
https://wintex-sports.de/bilder/ is “insecure” because you are using the certificate for “forum.wintex-sports.de” hence the certificate does not match the domain name - and is therefore not valid / secure.
This goes back to my initial comment “Do you want a single certificate for xxxx.de and forum.xxxx.de ? or do you want separate certificates, one for xxxx.de and another for forum.xxxx.de ?” since the names need to match.
I want it for all and the domain. So If i create a folder called “https://wintex-sports.de/download” it also should say its secure.
I added an A record to “wintex-sports.de” and also with the same IP to “forum.wintex-sports.de”. If you go to “wintex-sports.de” you will get redirected to “forum.wintex-sports.de”.
OK, you need to obtain a single certificate for wintex-sports.de and forum.wintex-sports.de then. Once you have done that, everything should work correctly ( as long as you load all images etc using https not http )
Yes, if you were starting from scratch.
As you already have a certificate ( did you just get the one ? or did you also create one for the main domain ? ) I would suggest using the --expand option to include the additional domain name.
First, I did this: “certbot --apache” then i typed in my Domain at the installer instruction. Then I did this:
“certbot --apache -d forum.wintex-sports.de”
I personally don’t use certbot - perhaps @pfg or someone can help out more fully from the position you are at now.
Well, I think i have 2 certificates now.
But only one is active I think. I want it for both… forum.wintex-sports.de and wintex-sports.de
You know to do it?
Well, thanks anyway! I used --expand and it works now! thank you so much for your help 
The only thing is now, the https://www.whynopadlock.com/ site says all is fine but the lock is still not green ;(
https://forum.wintex-sports.de is green for me.
I’d guess the difference is probably that you are logged in, and there are some images or something once logged in which are not loaded via https.
Ah I see… I found the images…Well, its for everyone different then… Because if u use a signature without https, it will not green lock… Because every user uses different links to the signature… 
With forums you have to either accept that mixed content is inevitable or block insecure images. You could do this by setting a CSP with the upgrade-insecure-requests and block-all-mixed-content directives set, but consider the inconvenience to users.