Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Do you want to expand and replace this existing certificate with the new
Renewing an existing certificate
Could not reverse map the HTTPS VirtualHost to the original
Unable to install the certificate
Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2022-11-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew all of
your certificates, run "certbot renew"
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Both: Terminal or Webmin 1.999
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I ended up with a certificate in the etc/letsencrypt/live/mycloud.devrod.com instead of it being added to my domain. which was my intent. when I go to mycloud.devrod.com I get a blank page. If I force https I get my devrod.com index page with no links. when I look at the certificate info on https://mycloud.devrod.com I see all the certificates associated with the root domain but not mycloud. I ran lets debug and there were no issues except under TLS_ALPN-01 where I get: IssueFromLetsEncrypt
A test authorization for mycloud.devrod.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
According to the output you also have an expanded certificate with both hostnames. Please show the output of sudo certbot certificates so we can check what's available and also the output of the command sudo apachectl -t -D DUMP_VHOSTS. Please put three backticks (```) above and below the outputs so it's properly formatted.
You indeed have two separate certificates. I assume you want your mycloud subdomain included in the cert with devrod.com, alpha.devrod.com, beta.devrod.com, cirus.devrod.com, drako.devrod.com, lab.devrod.com, mc.devrod.com and www.devrod.com instead of a separate cert?
Your Apache vhost configuration is a little bit "off":
You have two HTTP vhosts for devrod.com/www.devrod.com: the "00-default" one and the separate one specifically for devrod.com. Certbot seems to have chosen the "00-default" vhost as a template for the HTTPS vhost configuration file. This might be OK, but can lead to strange behaviour
While you have a HTTP mycloud.devrod.com vhost in mycloud.devrod.com.conf, Certbot has not generated a HTTPS mycloud.devrod.com-le-ssl.conf, which is kinda weird I think.
I don't understand why the namevhost mycloud.devrod.comalso has an alias mycloud.devrod.com?
As to your 1st bullet point the answer is YES
with regards to bullet points:
2a "two HTTP vhosts", should I remove the 2nd vhost (i.e.devrod.com.comf)?
2b " *Certbot has not generated a HTTPS mycloud.devrod.com-le-ssl.conf*" I pondered the same question. Any suggestion on how to resolve?
2c " *why the namevhost mycloud.devrod.comalso has an alias*" My error, I corrected.
Certbot is a little bit user unfriendly with regards to modifying existing certificates. To add a certain hostname to an already existing hostname, one needs to add ALL hostnames as the "domains" input, i.e. existing hostnames + new hostname(s). So to expand your existing certificate with the mycloud subdomain, you'd need to use:
Depends on the content of the vhosts. Usually, I put a non-existing hostname (e.g. ServerName localhost) for the default vhost which will set some default directives and put all actual sites in separate configuration files.
By using --apache in the command I've shown above, Certbot should generate such a configuration file.
I used your suggestion of sudo certbot --apache -d devrod.com, . . . to no avail. I got the standard remarks about congratulation … stored in … etc. (sorry I didn’t copy, was anxious to see results). Unfortunately, I’m in the same predicament as before. You may or may not remember I noted that “mycloud.devrod.com” has it own folder with it’s own certs in the /etc/letsencrypt/live/mycloud.devrod.com folder. If I remember correctly that would be because I didn’t do it right the first time. I think I just did sudo certbot -d mycloud.devrod.com. Is it possible this set of certs are interfering? Can I make a mycloud.devrod.com-le-ssl.conf pointing to the mycloud certs? How can I correct my mistakes?
"Congratulations" at least is good, right? Please show the output of sudo certbot certificates again.
That's unfortunate, but probably not impossible to solve.
I don't think so. Certbot shouldn't make decisions when dealing with e.g. cert "A" even if cert "B" or "C" exist. It should only be dealing with A.
When you previously ran sudo apachectl -t -D DUMP_VHOSTS, there was no mycloud.devrod.com-le-ssl.conf to begin with. Usually, this would be generated by Certbot. I don't know why it didn't happen. You could try to use sudo certbot install but I'm afraid that function is VERY poorly documented.. I'm not sure if it takes -d mycloud.devrod.com or if it takes --cert-name devrod.com as options.. Or both
*:443 is a NameVirtualHost
default server devrod.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost devrod.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost alpha.devrod.com (/etc/apache2/sites-enabled/alpha.devrod.com-le-ssl.conf:2)
port 443 namevhost beta.devrod.com (/etc/apache2/sites-enabled/beta.devrod.com-le-ssl.conf:2)
port 443 namevhost cirus.devrod.com (/etc/apache2/sites-enabled/cirus.devrod.com-le-ssl.conf:2)
port 443 namevhost drako.devrod.com (/etc/apache2/sites-enabled/drako.devrod.com-le-ssl.conf:2)
port 443 namevhost lab.devrod.com (/etc/apache2/sites-enabled/lab.devrod.com-le-ssl.conf:2)
port 443 namevhost mc.devrod.com (/etc/apache2/sites-enabled/mc.devrod.com-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server devrod.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost devrod.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost alpha.devrod.com (/etc/apache2/sites-enabled/alpha.devrod.com.conf:1)
port 80 namevhost beta.devrod.com (/etc/apache2/sites-enabled/beta.devrod.com.conf:1)
port 80 namevhost cirus.devrod.com (/etc/apache2/sites-enabled/cirus.devrod.com.conf:1)
port 80 namevhost devrod.com (/etc/apache2/sites-enabled/devrod.com.conf:1)
port 80 namevhost drako.devrod.com (/etc/apache2/sites-enabled/drako.devrod.com.conf:1)
port 80 namevhost lab.devrod.com (/etc/apache2/sites-enabled/lab.devrod.com.conf:1)
port 80 namevhost mc.devrod.com (/etc/apache2/sites-enabled/mc.devrod.com.conf:1)
port 80 namevhost mycloud.devrod.com (/etc/apache2/sites-enabled/mycloud.devrod.com.conf:1)
*:25575 mc.devrod.com (/etc/apache2/sites-enabled/webmin.1650413132.conf:1)
This my sound crazy but, here is what I was thinking when I ask if I could point to the proper certificates in mycloud.devrod.com-le-ssl.conf. I would make a copy of one of the other ...le-ssl.conf files. Modify accordingly and enable like I did with mycloud.devrod.com.conf. Does it not work that way?
OK! Hopefully last question, or two. Now that mycloud.devrod.com is part of the devrod.com certificate, thanks for that, should I point to it, like all the other subdomains. Or, to the mycloud.devrod.com? Wouldn't pointing to the root certificate make renewals easier?