I am facing issue with my subdomains.
I have installed ssl certificate for my main domain as well as www.domain.com also it’s working fine.
But i have two sub domain belongs to same IP but the certificate has been installed site is throwing error.
Kindly help me to sorting this issue
OS:AMI 2016
Webserver:Apache 2.3
Domain:bezirk.com and bezirk.io
You are not using the Let’s Encrypt certificates for your subdomains.
You don’t say how you obtained the certificates ( what command you ran ) … if you have the certificates ( in /etc/letsencrypt/live/subdomain… then you should check your apache config and point to those certs. If you don’t have the certificates than please let us know what command you ran to obtain the certificates, and the output it gave.
I suspect the problem may be because you have modified the list of domains in your certificate, so now have both a developer.bezirk.com and a developer.bezirk.com-0001 directory.
What is in your apache config for these subdomains for the SSLCertificate links ?
I have tried it working fine certificate but finally it goes to AMI test page.
I can able configure properly in apache that is not an issue for me,
If https enabled means it’s going to error page or AMI test page
For cert verfication also gives ok
root@ip-172-31-19-172 conf.d]# openssl verify /etc/letsencrypt/live/developer.bezirk.com-0001/*pem
/etc/letsencrypt/live/developer.bezirk.com-0001/cert.pem: CN = developer.bezirk.com
error 20 at 0 depth lookup:unable to get local issuer certificate
/etc/letsencrypt/live/developer.bezirk.com-0001/chain.pem: OK
/etc/letsencrypt/live/developer.bezirk.com-0001/fullchain.pem: CN = developer.bezirk.com
error 20 at 0 depth lookup:unable to get local issuer certificate
unable to load certificate
139828029695840:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
Signature Algorithm SHA256 with RSA
Server key size RSA 1024 bits
Fingerprint / Serial SHA1 5FCD7686283969B5A7EC560190B314E53620E931 / 2E0A
SHA256 B394465337561F6BE951C239F375AA750421E326868594498C0489350A3D02AC
Common Name (CN) "ip-172-31-19-172"
subjectAltName (SAN) --
Issuer self-signed (NOT ok)
Trust (hostname) certificate does not match supplied URI
Chain of trust NOT ok (self signed)
EV cert (experimental) no
Certificate Expiration 350 >= 60 days (2016-11-22 06:13 --> 2017-11-22 06:13 +0000)
# of certificates provided 1
Certificate Revocation List --
OCSP URI --
OCSP stapling --
If I accepted that certificate I may get redirected, I don't know, as I didn't accept an invalid certificate I don't trust
It is NOT using the certificate you have at /etc/letsencrypt/live/developer.bezirk.com-0001/xxx
The domain developer.bezirk.com is using a self signed certificate for the domain name “ip-172-31-19-172”
This is most likely to be due to your apache config, which is not configured to recognise the domain ane provide the correct certificate. I’m assuming you have it showing a default self signed cert for an internal, private IP address of 172.31.19.172.
How to create the certificate for developer.bezirk.com and developer.bezirk.io.
Please give me the command or any steps to create the cert for this i will follow the same
That looks OK, but I can’t really tell due to the formatting on the forum here. Can you either enclose the config in three back tick quotes ` or paste in pastebin.com (it would be useful if you could post your main default config, your default ssl config as well as the specific vhost file.