Subdomain certificarte not working

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot -d mycloud.devrod.com -d devrod.com
It produced this output:


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/mycloud.devrod.com.conf)

It contains these names: mycloud.devrod.com

You requested these names for the new certificate: mycloud.devrod.com,
devrod.com.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/(C)ancel: E
Renewing an existing certificate
Could not reverse map the HTTPS VirtualHost to the original

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/mycloud.devrod.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/mycloud.devrod.com/privkey.pem
    Your cert will expire on 2022-11-04. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"
    My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 20.04/Apache2
My hosting provider, if applicable, is:
Self
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Both: Terminal or Webmin 1.999
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

I ended up with a certificate in the etc/letsencrypt/live/mycloud.devrod.com instead of it being added to my domain. which was my intent. when I go to mycloud.devrod.com I get a blank page. If I force https I get my devrod.com index page with no links. when I look at the certificate info on https://mycloud.devrod.com I see all the certificates associated with the root domain but not mycloud. I ran lets debug and there were no issues except under TLS_ALPN-01 where I get:
IssueFromLetsEncrypt

Error

A test authorization for mycloud.devrod.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

72.179.58.107: Error getting validation data

How can I resolve this issue?

According to the output you also have an expanded certificate with both hostnames. Please show the output of sudo certbot certificates so we can check what's available and also the output of the command sudo apachectl -t -D DUMP_VHOSTS. Please put three backticks (```) above and below the outputs so it's properly formatted.

2 Likes

sudo certbot certificates

Found the following certs:
  Certificate Name: devrod.com
    Domains: devrod.com alpha.devrod.com beta.devrod.com cirus.devrod.com drako.devrod.com lab.devrod.com mc.devrod.com www.devrod.com
    Expiry Date: 2022-10-27 13:10:32+00:00 (VALID: 81 days)
    Certificate Path: /etc/letsencrypt/live/devrod.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/devrod.com/privkey.pem
  Certificate Name: mycloud.devrod.com
    Domains: mycloud.devrod.com devrod.com
    Expiry Date: 2022-11-04 16:26:34+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mycloud.devrod.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mycloud.devrod.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -```

sudo apachectl -t -D DUMP_VHOSTS
```VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server devrod.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost devrod.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost alpha.devrod.com (/etc/apache2/sites-enabled/alpha.devrod.com-le-ssl.conf:2)
         port 443 namevhost beta.devrod.com (/etc/apache2/sites-enabled/beta.devrod.com-le-ssl.conf:2)
         port 443 namevhost cirus.devrod.com (/etc/apache2/sites-enabled/cirus.devrod.com-le-ssl.conf:2)
         port 443 namevhost drako.devrod.com (/etc/apache2/sites-enabled/drako.devrod.com-le-ssl.conf:2)
         port 443 namevhost lab.devrod.com (/etc/apache2/sites-enabled/lab.devrod.com-le-ssl.conf:2)
         port 443 namevhost mc.devrod.com (/etc/apache2/sites-enabled/mc.devrod.com-le-ssl.conf:2)
*:25565                mc.devrod.com (/etc/apache2/sites-enabled/mc.devrod.com-minepops.conf:1)
*:80                   is a NameVirtualHost
         default server devrod.com (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost devrod.com (/etc/apache2/sites-enabled/000-default.conf:1)
                 alias www.devrod.com
         port 80 namevhost alpha.devrod.com (/etc/apache2/sites-enabled/alpha.devrod.com.conf:1)
         port 80 namevhost beta.devrod.com (/etc/apache2/sites-enabled/beta.devrod.com.conf:1)
         port 80 namevhost cirus.devrod.com (/etc/apache2/sites-enabled/cirus.devrod.com.conf:1)
         port 80 namevhost devrod.com (/etc/apache2/sites-enabled/devrod.com.conf:1)
                 alias www.devrod.com
         port 80 namevhost drako.devrod.com (/etc/apache2/sites-enabled/drako.devrod.com.conf:1)
         port 80 namevhost lab.devrod.com (/etc/apache2/sites-enabled/lab.devrod.com.conf:1)
         port 80 namevhost mc.devrod.com (/etc/apache2/sites-enabled/mc.devrod.com.conf:1)
         port 80 namevhost mycloud.devrod.com (/etc/apache2/sites-enabled/mycloud.devrod.com.conf:1)
                 alias mycloud.devrod.com
*:25575                mc.devrod.com (/etc/apache2/sites-enabled/webmin.1650413132.conf:1)```

A few things catch my eyes:

  • You indeed have two separate certificates. I assume you want your mycloud subdomain included in the cert with devrod.com, alpha.devrod.com, beta.devrod.com, cirus.devrod.com, drako.devrod.com, lab.devrod.com, mc.devrod.com and www.devrod.com instead of a separate cert?
  • Your Apache vhost configuration is a little bit "off":
    • You have two HTTP vhosts for devrod.com/www.devrod.com: the "00-default" one and the separate one specifically for devrod.com. Certbot seems to have chosen the "00-default" vhost as a template for the HTTPS vhost configuration file. This might be OK, but can lead to strange behaviour
    • While you have a HTTP mycloud.devrod.com vhost in mycloud.devrod.com.conf, Certbot has not generated a HTTPS mycloud.devrod.com-le-ssl.conf, which is kinda weird I think.
    • I don't understand why the namevhost mycloud.devrod.com also has an alias mycloud.devrod.com?
3 Likes

As to your 1st bullet point the answer is YES
with regards to bullet points:
2a "two HTTP vhosts", should I remove the 2nd vhost (i.e.devrod.com.comf)?
2b " *Certbot has not generated a HTTPS mycloud.devrod.com-le-ssl.conf*" I pondered the same question. Any suggestion on how to resolve?
2c " *why the namevhost mycloud.devrod.com also has an alias*" My error, I corrected.

where to now?

Also, how to correct having 2 live certs (1)devrod.com & (2)mycloud.devrod.com?

Certbot is a little bit user unfriendly with regards to modifying existing certificates. To add a certain hostname to an already existing hostname, one needs to add ALL hostnames as the "domains" input, i.e. existing hostnames + new hostname(s). So to expand your existing certificate with the mycloud subdomain, you'd need to use:

sudo certbot --apache -d devrod.com,alpha.devrod.com,beta.devrod.com,cirus.devrod.com,drako.devrod.com,lab.devrod.com,mc.devrod.com,www.devrod.com,mycloud.devrod.com

Depends on the content of the vhosts. Usually, I put a non-existing hostname (e.g. ServerName localhost) for the default vhost which will set some default directives and put all actual sites in separate configuration files.

By using --apache in the command I've shown above, Certbot should generate such a configuration file.

:+1:

3 Likes

I used your suggestion of sudo certbot --apache -d devrod.com, . . . to no avail. I got the standard remarks about congratulation … stored in … etc. (sorry I didn’t copy, was anxious to see results). Unfortunately, I’m in the same predicament as before. You may or may not remember I noted that “mycloud.devrod.com” has it own folder with it’s own certs in the /etc/letsencrypt/live/mycloud.devrod.com folder. If I remember correctly that would be because I didn’t do it right the first time. I think I just did sudo certbot -d mycloud.devrod.com. Is it possible this set of certs are interfering? Can I make a mycloud.devrod.com-le-ssl.conf pointing to the mycloud certs? How can I correct my mistakes?

Thank You for your time and trouble,
RLB

"Congratulations" at least is good, right? Please show the output of sudo certbot certificates again.

That's unfortunate, but probably not impossible to solve.

I don't think so. Certbot shouldn't make decisions when dealing with e.g. cert "A" even if cert "B" or "C" exist. It should only be dealing with A.

When you previously ran sudo apachectl -t -D DUMP_VHOSTS, there was no mycloud.devrod.com-le-ssl.conf to begin with. Usually, this would be generated by Certbot. I don't know why it didn't happen. You could try to use sudo certbot install but I'm afraid that function is VERY poorly documented.. I'm not sure if it takes -d mycloud.devrod.com or if it takes --cert-name devrod.com as options.. Or both :roll_eyes:

Made an issue about the missing documentation: `install` subcommand documentation missing from User Guide · Issue #9373 · certbot/certbot · GitHub

2 Likes

sudo certbot certificates

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: devrod.com
    Domains: devrod.com alpha.devrod.com beta.devrod.com cirus.devrod.com drako.devrod.com lab.devrod.com mc.devrod.com mycloud.devrod.com www.devrod.com
    Expiry Date: 2022-11-04 23:05:56+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/devrod.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/devrod.com/privkey.pem
  Certificate Name: mycloud.devrod.com
    Domains: mycloud.devrod.com devrod.com
    Expiry Date: 2022-11-04 16:26:34+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/mycloud.devrod.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mycloud.devrod.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -```

there still is no mycloud.devrod.com-le-ssl.conf

sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server devrod.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost devrod.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost alpha.devrod.com (/etc/apache2/sites-enabled/alpha.devrod.com-le-ssl.conf:2)
         port 443 namevhost beta.devrod.com (/etc/apache2/sites-enabled/beta.devrod.com-le-ssl.conf:2)
         port 443 namevhost cirus.devrod.com (/etc/apache2/sites-enabled/cirus.devrod.com-le-ssl.conf:2)
         port 443 namevhost drako.devrod.com (/etc/apache2/sites-enabled/drako.devrod.com-le-ssl.conf:2)
         port 443 namevhost lab.devrod.com (/etc/apache2/sites-enabled/lab.devrod.com-le-ssl.conf:2)
         port 443 namevhost mc.devrod.com (/etc/apache2/sites-enabled/mc.devrod.com-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server devrod.com (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost devrod.com (/etc/apache2/sites-enabled/000-default.conf:1)
                 alias www.devrod.com
         port 80 namevhost alpha.devrod.com (/etc/apache2/sites-enabled/alpha.devrod.com.conf:1)
         port 80 namevhost beta.devrod.com (/etc/apache2/sites-enabled/beta.devrod.com.conf:1)
         port 80 namevhost cirus.devrod.com (/etc/apache2/sites-enabled/cirus.devrod.com.conf:1)
         port 80 namevhost devrod.com (/etc/apache2/sites-enabled/devrod.com.conf:1)
                 alias www.devrod.com
         port 80 namevhost drako.devrod.com (/etc/apache2/sites-enabled/drako.devrod.com.conf:1)
         port 80 namevhost lab.devrod.com (/etc/apache2/sites-enabled/lab.devrod.com.conf:1)
         port 80 namevhost mc.devrod.com (/etc/apache2/sites-enabled/mc.devrod.com.conf:1)
         port 80 namevhost mycloud.devrod.com (/etc/apache2/sites-enabled/mycloud.devrod.com.conf:1)
*:25575                mc.devrod.com (/etc/apache2/sites-enabled/webmin.1650413132.conf:1)

This my sound crazy but, here is what I was thinking when I ask if I could point to the proper certificates in mycloud.devrod.com-le-ssl.conf. I would make a copy of one of the other ...le-ssl.conf files. Modify accordingly and enable like I did with mycloud.devrod.com.conf. Does it not work that way?

You have a name:port overlap/conflict:

[two files using the exact same set of names]

2 Likes

Yes, This was noted by Osiris. However I didn't understand his "Depends" response. So, I'll ask again should I remove the devrod.com.conf.

I just deleted the devrod.com.conf file in question. Even thought this server has been running like that for years, it appears to be an issue gone unresolved from the initial setup.

Just view devrod.com certificate info from the browser and mycloud.devrod.com now shows as part of the cert. So, that's good.

Sure, that would work, if you're fine with manually editing Apache configuration files :slight_smile: