Subdomain getting certificate for domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: comic.collar6.wiki

I ran this command: sudo certbot (then instructed it to make cert for only comic.collar6.wiki)

It produced this output: output as expected

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): Ubuntu Server 18.04

My hosting provider, if applicable, is: selfhost

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0 (via Canonical)

I don’t -think- I’ve hit rate limits for the week, but I have done some revoking and new domains on my server/account in the last week.

Other active certs I have include: raindrop.works, nextcloud.raindrop.works and collar6.wiki. I’ve revoked certs for backup.collar6.wiki and collabora.raindrop.works, but if I understand the rate limits policy, I shouldn’t be at that limit, and even if I was, the cert should fail, not give me a cert for the domain when I’m requesting the subdomain

1 Like

Are you getting a rate limit error message? Can you post the exact message?

It claims it succeeded, until I go to the certificate and firefox, SSL lab and crt.sh all say the same thing that it’s not the right cert

full output of the attempt here https://nextcloud.raindrop.works/index.php/s/Q4XkHZoyRDsQers

1 Like

The certificate was issued.

The problem you’re having now is the way it is configured in Apache - it’s not being presented to visitors.

This might help to reveal the issue:

apachectl -t -D DUMP_VHOSTS

If you have multiple virtualhosts that duplicate the same ServerName or ServerAlias, it can lead to weird things happening like the wrong certificate being presented.

You will want to work through each virtualhost that’s listed, and make sure that each domain name only appears in a single virtualhost.

1 Like

User error? Seems legit after the last few days. I’ll poke at it and see what I can find

Less user error and more that Certbot did not configure your virtual hosts properly. Either way, poking around is the way to go from here …

1 Like

I’m going to -guess- because aliases didn’t get set up right (I was trying to standardize them and seems I botched it. The joy of working in Nano on a headless environment)

*:80 is a NameVirtualHost
default server collar6.wiki (/etc/apache2/sites-enabled/collar6.wiki.conf:1)
port 80 namevhost collar6.wiki (/etc/apache2/sites-enabled/collar6.wiki.conf:1)
alias collar6.wiki
port 80 namevhost comic.collar6.wiki (/etc/apache2/sites-enabled/comic.collar6.wiki.conf:1)
port 80 namevhost nextcloud.raindrop.works (/etc/apache2/sites-enabled/nextcloud.raindrop.works.conf:1)
alias nextcloud.raindrop.works
port 80 namevhost raindrop.works (/etc/apache2/sites-enabled/raindrop.works.conf:1)
alias raindrop.works
*:443 is a NameVirtualHost
default server collar6.wiki (/etc/apache2/sites-enabled/collar6.wiki.conf:19)
port 443 namevhost collar6.wiki (/etc/apache2/sites-enabled/collar6.wiki.conf:19)
wild alias *collar6.wiki
port 443 namevhost comic.collar6.wiki (/etc/apache2/sites-enabled/comic.collar6.wiki.conf:9)
port 443 namevhost nextcloud.raindrop.works (/etc/apache2/sites-enabled/nextcloud.raindrop.works.conf:20)
alias nextcloud.raindrop.works
port 443 namevhost raindrop.works (/etc/apache2/sites-enabled/raindrop.works.conf:19)
wild alias *.raindrop.works

1 Like

That looks a little suspicious to me. If you try remove that alias temporarily (from collar6.wiki.conf), does the comic certificate start working?

1 Like

phew. the * was the problem. setting that to just collar6.wiki fixed it. Ideally *.collar6.wiki should have also been a good catchall, but my DNS service should have that wildcard fixed already. Which is good because I used up three of my issuances on this. Thanks a bunch for the help!

2 Likes