Subject Alternative Name (SAN) mechanism

I have one AWS ec2 server. 2 Route53 domain names. One domain name has successfully installed a Let’s Encrypt certificate. The other domain connects using http by way of a CNAME record to the original domain name. But id I try to access https:// I get an error. I would like the 2nd domain name to share that same certificate if possible. Do Subject Alternative Name (SAN) mechanisms work in this scenario? If so how do I configure it to work?

Thank you for any assistance you can provide.

yes, SAN would work for this. what kind of client you use?

Hi @Chas

what’s your domain name? To find errors in your configuration, some informations are required:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I tried running certbot and crashed my system :frowning: I am trying to spin up a new instance.
urls:
My domain is: englishaccelerant.com (this one was working fine)
Secondary testing domain: is acceleratedenglish.com
Ubuntu 16.04…6
AWS- ec2 Linux Bitnami Moodle instance
Amazon Route 53 DNS

I tried running

sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m englishaccelerant@gmail.com -d acceleratedenglish.com -d www.acceleratedenglish.com

to use the same cert but learned I needed to use SAN.

then tried certbot

sudo apt-get update sudo apt-get install software-properties-common
sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update sudo apt-get install certbot python-certbot-apache

then…

certbot --expand -d englishaccelerant.com, acceleratedenglish.com

and this killed my internet connection. Apache2 won’t start.

Puh. Never mix such integrated bitnami solutions with Certbot. Certbot changes the configuration files, that must crash.

There are two types of users with Letsencrypt + Bitnami:

  • some use Certbot with certonly, then additional steps are required so Bitnami can use the certificate
  • some use the bitnami-integrated solution

Your first domain is ok ( https://check-your-website.server-daten.de/?q=englishaccelerant.com ):

DNS:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
englishaccelerant.com A 18.233.5.221 yes 1 0
AAAA yes
www.englishaccelerant.com A 18.233.5.221 yes 1 0
AAAA yes

and connections:

Domainname Http-Status redirect Sec. G
http://englishaccelerant.com/
18.233.5.221 200 0.210 H
http://www.englishaccelerant.com/
18.233.5.221 200 0.217 H
https://englishaccelerant.com/
18.233.5.221 -2 1.310 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 18.233.5.221:443
https://www.englishaccelerant.com/
18.233.5.221 -2 1.310 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 18.233.5.221:443
http://englishaccelerant.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
18.233.5.221 404 0.213 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at englishaccelerant.com Port 80
http://www.englishaccelerant.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
18.233.5.221 404 0.213 A
Not Found

http works, port 80 is open, /.well-known/acme-challenge/unknown-file works. https looks like a firewall.

Your second domain has a simple DNS error ( https://check-your-website.server-daten.de/?q=acceleratedenglish.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
acceleratedenglish.com A yes 1 0
AAAA yes
www.acceleratedenglish.com C www.englishaccelerant.com yes 1 0
A 18.233.5.221 yes

The non-www entry is missing. But that’s simple, add the same CNAME entry. Currently, the non-www doesn’t has an ip address, so you can’t use http-01 validation with that domain name.

There is the same (~~ good) picture:

Domainname Http-Status redirect Sec. G
http://www.acceleratedenglish.com/
18.233.5.221 200 0.213 H
https://www.acceleratedenglish.com/
18.233.5.221 -2 1.313 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 18.233.5.221:443
http://www.acceleratedenglish.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
18.233.5.221 404 0.210 A
Not Found

http works, https looks like a firewall.

I don’t know enough about Bitnami.

But: Have these two domains the same content? Or do they have different content?

If there are different vHosts, you can create two different certificates (one per domain with non-www and www). That’s already a SAN-certificate.

And your usage of CNAME is untypical. You could add explicit A entries

www.acceleratedenglish.com -> 18.233.5.221

but you can use CNAME.

Thank you for your assistance!

I am not sure how to correct the apache errors. I must have by using certbot reconfigured apache2. I’m getting this error:

[Thu May 02 01:22:47.839710 2019] [core:warn] [pid 2183] AH00111: Config variable {APACHE_LOCK_DIR} is not defined [Thu May 02 01:22:47.839843 2019] [core:warn] [pid 2183] AH00111: Config variable {APACHE_PID_FILE} is not defined
[Thu May 02 01:22:47.839893 2019] [core:warn] [pid 2183] AH00111: Config variable {APACHE_RUN_USER} is not defined [Thu May 02 01:22:47.839954 2019] [core:warn] [pid 2183] AH00111: Config variable {APACHE_RUN_GROUP} is not defined
[Thu May 02 01:22:47.840012 2019] [core:warn] [pid 2183] AH00111: Config variable {APACHE_LOG_DIR} is not defined [Thu May 02 01:22:47.849465 2019] [core:warn] [pid 2183:tid 140048898852736] AH00111: Config variable {APACHE_LOG_DIR} is not defined
[Thu May 02 01:22:47.849687 2019] [core:warn] [pid 2183:tid 140048898852736] AH00111: Config variable {APACHE_LOG_DIR} is not defined [Thu May 02 01:22:47.849758 2019] [core:warn] [pid 2183:tid 140048898852736] AH00111: Config variable {APACHE_LOG_DIR} is not defined
AH00526: Syntax error on line 74 of /etc/apache2/apache2.conf:
Invalid Mutex directory in argument file:${APACHE_LOCK_DIR}

I added the simple A record I missed for acceleratedenglish.com (non-www)

I will continue to work on this but because I would like to fix it for learning purposes but I can always start a new instance and start over :slight_smile:

Bitnami comes with its own copy of Apache.

This command that you ran:

sudo apt-get update sudo apt-get install certbot python-certbot-apache

installs Certbot with its Apache plugin from Ubuntu’s repository. But the package manager doesn’t know about Bitnami’s Apache, so it pulls in Ubuntu’s Apache as a dependency of the plugin. Now you have two Apache’s and they are probably interfering with each other :frowning:

I’d recommend removing certbot and its dependencies by typing:

sudo apt-get remove --auto-remove certbot

and then either try again with Bitnami’s integrated solution, or if you want to use certbot, download certbot-auto instead and use that.

Well I shut that instance down and started over now I have a new error.

acme: Error -> One or more domains had a problem:
[www.langaugeaccelerant.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.langaugeaccelerant.com, url:

Error: Something went wrong when running the following command:

$ “LEGO_BIN" --path "/opt/bitnami/letsencrypt" --tls --email="{email}” ${domain_args} run

I am trying to get a SAN cert for 4 domain names:

sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m englishaccelerant@gmail.com -d languageaccelerant.com -d www.langaugeaccelerant.com -d englishaccelerant.com -d www.englishaccelerant.com -d spanishaccelerant.com -d www.spanishaccelerant.com

thanks again for any help.

post edit:
How ironic that my error was a misspell haha!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.