Subdomain is redirecting to AMI test page


#1

I am facing issue with my subdomains.
I have installed ssl certificate for my main domain as well as www.domain.com also it’s working fine.
But i have two sub domain belongs to same IP but the certificate has been installed site is throwing error.
Kindly help me to sorting this issue
OS:AMI 2016
Webserver:Apache 2.3
Domain:bezirk.com and bezirk.io

subdomain:developer.bezirk.com and developer.bezirk.io


#2

You are not using the Let’s Encrypt certificates for your subdomains.

You don’t say how you obtained the certificates ( what command you ran ) … if you have the certificates ( in /etc/letsencrypt/live/subdomain… then you should check your apache config and point to those certs. If you don’t have the certificates than please let us know what command you ran to obtain the certificates, and the output it gave.


#3

I have ran following command and it’s gave below output.
./certbot-auto --apache -d developer.bezirk.com -d developer.bezirk.io

And it has certificate to the following path
ls /etc/letsencrypt/live/
bezirk.com developer.bezirk.com-0001

│ Congratulations! You have successfully enabled │
https://developer.bezirk.com and https://developer.bezirk.io
│ │
│ You should test your configuration at: │
https://www.ssllabs.com/ssltest/analyze.html?d=developer.bezirk.com
https://www.ssllabs.com/ssltest/analyze.html?d=developer.bezirk.io

And my vhost configuration file is


#4

I suspect the problem may be because you have modified the list of domains in your certificate, so now have both a developer.bezirk.com and a developer.bezirk.com-0001 directory.

What is in your apache config for these subdomains for the SSLCertificate links ?


#5

I have pointed developer.bezirk.com-0001 only.
Let me confirm developer.bezirk.com and developer.bezirk.io also business.bezirk.com is pointed DNS record properly or not.
Because I have checked with pingdom tool for dns for bezirk.com and bezirk.io are resolving nameserver properly but subdomains doesn’t.

So please confirm the same i will try to change the DNS point to this Ip for subdomains.

Thanks for gave reply


#6

for me, all 4 go to 54.218.126.252

It’s just the SSL certs that are not correct, hence why I asked what was in your apache config.


#7

Please see my apache conf file for developer.bezirk.com of ssl

[root@ip-172-31-19-172 conf.d]# cat developer-bezirk-com-le-ssl.conf

<VirtualHost *:443>
ServerName developer.bezirk.com
ServerAlias developer.bezirk.io
ServerAdmin webmaster@developer.bezirk.com

DocumentRoot /home/bezirkweb/developer

<Directory /home/bezirkweb/developer/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all

####################

GZIP COMPRESSION

####################
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/html text/css text/plain text/xml application/x-javascript application/x-httpd-php
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip
Header append Vary User-Agent env=!dont-vary

EXPIRES CACHING

ExpiresActive On ExpiresByType image/jpg "access 1 month" ExpiresByType image/jpeg "access 1 month" ExpiresByType image/gif "access 1 month" ExpiresByType image/png "access 1 month" ExpiresByType text/css "access 1 month" ExpiresByType application/pdf "access 1 month" ExpiresByType application/javascript "access 1 month" ExpiresByType application/x-javascript "access 1 month" ExpiresByType application/x-shockwave-flash "access 1 month" ExpiresByType image/x-icon "access 1 month" ExpiresDefault "access 2 days" ## EXPIRES CACHING ##

ErrorLog /var/log/developer.bezirk.com.error.log
LogLevel warn
CustomLog /var/log/developer.bezirk.com.access.log combined

SSLCertificateFile /etc/letsencrypt/live/bezirk.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bezirk.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/bezirk.com/chain.pem


#8

In your apache config you have;

which looks wrong for developer.bezirk.com. They should be

SSLCertificateFile /etc/letsencrypt/live/developer.bezirk.com-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/developer.bezirk.com-0001/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/developer.bezirk.com-0001/chain.pem


#9

I have tried it working fine certificate but finally it goes to AMI test page.
I can able configure properly in apache that is not an issue for me,
If https enabled means it’s going to error page or AMI test page

See can you check it please
https://developer.bezirk.com/

For cert verfication also gives ok
root@ip-172-31-19-172 conf.d]# openssl verify /etc/letsencrypt/live/developer.bezirk.com-0001/*pem
/etc/letsencrypt/live/developer.bezirk.com-0001/cert.pem: CN = developer.bezirk.com
error 20 at 0 depth lookup:unable to get local issuer certificate
/etc/letsencrypt/live/developer.bezirk.com-0001/chain.pem: OK
/etc/letsencrypt/live/developer.bezirk.com-0001/fullchain.pem: CN = developer.bezirk.com
error 20 at 0 depth lookup:unable to get local issuer certificate
unable to load certificate
139828029695840:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE


#10

I checked before - I don’t get redirected to an AMI test page because I don’t trust your self signed certificate.

curl -I https://developer.bezirk.com/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

if I test your certificate;

 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 1024 bits
 Fingerprint / Serial         SHA1 5FCD7686283969B5A7EC560190B314E53620E931 / 2E0A
                              SHA256 B394465337561F6BE951C239F375AA750421E326868594498C0489350A3D02AC
 Common Name (CN)             "ip-172-31-19-172"
 subjectAltName (SAN)         -- 
 Issuer                       self-signed (NOT ok)
 Trust (hostname)             certificate does not match supplied URI
 Chain of trust               NOT ok (self signed)
 EV cert (experimental)       no 
 Certificate Expiration       350 >= 60 days (2016-11-22 06:13 --> 2017-11-22 06:13 +0000)
 # of certificates provided   1
 Certificate Revocation List  --
 OCSP URI                     --
 OCSP stapling                --

If I accepted that certificate I may get redirected, I don’t know, as I didn’t accept an invalid certificate I don’t trust :wink:


#11

Then what is the solution for this from issue.
If certificte installed means not working expected content
Please let you explain to me.

I was so tired for this am not able to sort this.


#12

Your domain at developer.bezirk.com is not using the Let’s Encrypt certificate.

It is NOT using the certificate you have at /etc/letsencrypt/live/developer.bezirk.com-0001/xxx

The domain developer.bezirk.com is using a self signed certificate for the domain name “ip-172-31-19-172”

This is most likely to be due to your apache config, which is not configured to recognise the domain ane provide the correct certificate. I’m assuming you have it showing a default self signed cert for an internal, private IP address of 172.31.19.172.


#13

How to create the certificate for developer.bezirk.com and developer.bezirk.io.
Please give me the command or any steps to create the cert for this i will follow the same


#14

You already have the certificates - in /etc/letsencrypt/live/developer.bezirk.com-0001/…

You aren’t using them correctly in your apache config though.


#15

[root@ip-172-31-19-172 conf.d]# ls dev* -l
-rw-r–r-- 1 root root 1771 Dec 6 05:58 developer-bezirk-com.conf
-rw-r–r-- 1 root root 1930 Dec 6 10:45 developer-bezirk-com-le-ssl.conf

This is the vhost file for developer.bezirk.com is there any problem in this ?

Summary

developerssl.conf.txt (1.9 KB)


#16

That looks OK, but I can’t really tell due to the formatting on the forum here. Can you either enclose the config in three back tick quotes ` or paste in pastebin.com (it would be useful if you could post your main default config, your default ssl config as well as the specific vhost file.


#17

Hi I have attached my conf file please find it


#18

I can not see your conf file.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.