I am facing issue with my subdomains.
I have installed ssl certificate for my main domain as well as www.domain.com also it’s working fine.
But i have two sub domain belongs to same IP but the certificate has been installed site is throwing error.
Kindly help me to sorting this issue
OS:AMI 2016
Webserver:Apache 2.3
Domain:bezirk.com and bezirk.io
subdomain:developer.bezirk.com and developer.bezirk.io
You are not using the Let’s Encrypt certificates for your subdomains.
You don’t say how you obtained the certificates ( what command you ran ) … if you have the certificates ( in /etc/letsencrypt/live/subdomain… then you should check your apache config and point to those certs. If you don’t have the certificates than please let us know what command you ran to obtain the certificates, and the output it gave.
I have ran following command and it's gave below output.
./certbot-auto --apache -d developer.bezirk.com -d developer.bezirk.io
And it has certificate to the following path
ls /etc/letsencrypt/live/
bezirk.com developer.bezirk.com-0001
│ Congratulations! You have successfully enabled │
│ https://developer.bezirk.com and https://developer.bezirk.io │
│ │
│ You should test your configuration at: │
│ https://www.ssllabs.com/ssltest/analyze.html?d=developer.bezirk.com │
│ https://www.ssllabs.com/ssltest/analyze.html?d=developer.bezirk.io
And my vhost configuration file is
I suspect the problem may be because you have modified the list of domains in your certificate, so now have both a developer.bezirk.com and a developer.bezirk.com-0001 directory.
What is in your apache config for these subdomains for the SSLCertificate links ?
I have pointed developer.bezirk.com-0001 only.
Let me confirm developer.bezirk.com and developer.bezirk.io also business.bezirk.com is pointed DNS record properly or not.
Because I have checked with pingdom tool for dns for bezirk.com and bezirk.io are resolving nameserver properly but subdomains doesn't.
So please confirm the same i will try to change the DNS point to this Ip for subdomains.
Thanks for gave reply
for me, all 4 go to 54.218.126.252
It’s just the SSL certs that are not correct, hence why I asked what was in your apache config.
Please see my apache conf file for developer.bezirk.com of ssl
[root@ip-172-31-19-172 conf.d]# cat developer-bezirk-com-le-ssl.conf
<VirtualHost *:443>
ServerName developer.bezirk.com
ServerAlias developer.bezirk.io
ServerAdmin webmaster@developer.bezirk.com
DocumentRoot /home/bezirkweb/developer
<Directory /home/bezirkweb/developer/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
####################
####################
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/html text/css text/plain text/xml application/x-javascript application/x-httpd-php
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip
Header append Vary User-Agent env=!dont-vary
ErrorLog /var/log/developer.bezirk.com.error.log
LogLevel warn
CustomLog /var/log/developer.bezirk.com.access.log combined
SSLCertificateFile /etc/letsencrypt/live/bezirk.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bezirk.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/bezirk.com/chain.pem
In your apache config you have;
which looks wrong for developer.bezirk.com. They should be
SSLCertificateFile /etc/letsencrypt/live/developer.bezirk.com-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/developer.bezirk.com-0001/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/developer.bezirk.com-0001/chain.pem
I have tried it working fine certificate but finally it goes to AMI test page.
I can able configure properly in apache that is not an issue for me,
If https enabled means it’s going to error page or AMI test page
See can you check it please
https://developer.bezirk.com/
For cert verfication also gives ok
root@ip-172-31-19-172 conf.d]# openssl verify /etc/letsencrypt/live/developer.bezirk.com-0001/*pem
/etc/letsencrypt/live/developer.bezirk.com-0001/cert.pem: CN = developer.bezirk.com
error 20 at 0 depth lookup:unable to get local issuer certificate
/etc/letsencrypt/live/developer.bezirk.com-0001/chain.pem: OK
/etc/letsencrypt/live/developer.bezirk.com-0001/fullchain.pem: CN = developer.bezirk.com
error 20 at 0 depth lookup:unable to get local issuer certificate
unable to load certificate
139828029695840:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
I checked before - I don't get redirected to an AMI test page because I don't trust your self signed certificate.
curl -I https://developer.bezirk.com/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: curl - SSL CA Certificates
if I test your certificate;
Signature Algorithm SHA256 with RSA
Server key size RSA 1024 bits
Fingerprint / Serial SHA1 5FCD7686283969B5A7EC560190B314E53620E931 / 2E0A
SHA256 B394465337561F6BE951C239F375AA750421E326868594498C0489350A3D02AC
Common Name (CN) "ip-172-31-19-172"
subjectAltName (SAN) --
Issuer self-signed (NOT ok)
Trust (hostname) certificate does not match supplied URI
Chain of trust NOT ok (self signed)
EV cert (experimental) no
Certificate Expiration 350 >= 60 days (2016-11-22 06:13 --> 2017-11-22 06:13 +0000)
# of certificates provided 1
Certificate Revocation List --
OCSP URI --
OCSP stapling --
If I accepted that certificate I may get redirected, I don't know, as I didn't accept an invalid certificate I don't trust 
Then what is the solution for this from issue.
If certificte installed means not working expected content
Please let you explain to me.
I was so tired for this am not able to sort this.
Your domain at developer.bezirk.com is not using the Let’s Encrypt certificate.
It is NOT using the certificate you have at /etc/letsencrypt/live/developer.bezirk.com-0001/xxx
The domain developer.bezirk.com is using a self signed certificate for the domain name “ip-172-31-19-172”
This is most likely to be due to your apache config, which is not configured to recognise the domain ane provide the correct certificate. I’m assuming you have it showing a default self signed cert for an internal, private IP address of 172.31.19.172.
How to create the certificate for developer.bezirk.com and developer.bezirk.io.
Please give me the command or any steps to create the cert for this i will follow the same
You already have the certificates - in /etc/letsencrypt/live/developer.bezirk.com-0001/…
You aren’t using them correctly in your apache config though.
[root@ip-172-31-19-172 conf.d]# ls dev* -l
-rw-r–r-- 1 root root 1771 Dec 6 05:58 developer-bezirk-com.conf
-rw-r–r-- 1 root root 1930 Dec 6 10:45 developer-bezirk-com-le-ssl.conf
This is the vhost file for developer.bezirk.com is there any problem in this ?
developerssl.conf.txt (1.9 KB)
That looks OK, but I can’t really tell due to the formatting on the forum here. Can you either enclose the config in three back tick quotes ` or paste in pastebin.com (it would be useful if you could post your main default config, your default ssl config as well as the specific vhost file.
Hi I have attached my conf file please find it
I can not see your conf file.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.