I have one AWS ec2 server. 2 Route53 domain names. One domain name has successfully installed a Let’s Encrypt certificate. The other domain connects using http by way of a CNAME record to the original domain name. But id I try to access https:// I get an error. I would like the 2nd domain name to share that same certificate if possible. Do Subject Alternative Name (SAN) mechanisms work in this scenario? If so how do I configure it to work?
Thank you for any assistance you can provide.
yes, SAN would work for this. what kind of client you use?
Hi @Chas
what's your domain name? To find errors in your configuration, some informations are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I tried running certbot and crashed my system 
I am trying to spin up a new instance.
urls:
My domain is: englishaccelerant.com (this one was working fine)
Secondary testing domain: is acceleratedenglish.com
Ubuntu 16.04..6
AWS- ec2 Linux Bitnami Moodle instance
Amazon Route 53 DNS
I tried running
sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m englishaccelerant@gmail.com -d acceleratedenglish.com -d www.acceleratedenglish.com
to use the same cert but learned I needed to use SAN.
then tried certbot
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot python-certbot-apache
then...
certbot --expand -d englishaccelerant.com, acceleratedenglish.com
and this killed my internet connection. Apache2 won't start.
Puh. Never mix such integrated bitnami solutions with Certbot. Certbot changes the configuration files, that must crash.
There are two types of users with Letsencrypt + Bitnami:
Your first domain is ok ( https://check-your-website.server-daten.de/?q=englishaccelerant.com ):
DNS:
| Host | T | IP-Address | is auth. | ∑ Queries | ∑ Timeout |
|---|---|---|---|---|---|
| englishaccelerant.com | A | 18.233.5.221 | yes | 1 | 0 |
| AAAA | yes | ||||
| www.englishaccelerant.com | A | 18.233.5.221 | yes | 1 | 0 |
| AAAA | yes |
and connections:
| Domainname | Http-Status | redirect | Sec. | G |
|---|---|---|---|---|
| • http://englishaccelerant.com/ | ||||
| 18.233.5.221 | 200 | 0.210 | H | |
| • http://www.englishaccelerant.com/ | ||||
| 18.233.5.221 | 200 | 0.217 | H | |
| • https://englishaccelerant.com/ | ||||
| 18.233.5.221 | -2 | 1.310 | V | |
| ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 18.233.5.221:443 | ||||
| • https://www.englishaccelerant.com/ | ||||
| 18.233.5.221 | -2 | 1.310 | V | |
| ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 18.233.5.221:443 | ||||
| • http://englishaccelerant.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de | ||||
| 18.233.5.221 | 404 | 0.213 | A | |
| Not Found | ||||
| Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at englishaccelerant.com Port 80 | ||||
| • http://www.englishaccelerant.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de | ||||
| 18.233.5.221 | 404 | 0.213 | A | |
| Not Found |
http works, port 80 is open, /.well-known/acme-challenge/unknown-file works. https looks like a firewall.
Your second domain has a simple DNS error ( https://check-your-website.server-daten.de/?q=acceleratedenglish.com ):
| Host | T | IP-Address | is auth. | ∑ Queries | ∑ Timeout |
|---|---|---|---|---|---|
| acceleratedenglish.com | A | yes | 1 | 0 | |
| AAAA | yes | ||||
| www.acceleratedenglish.com | C | www.englishaccelerant.com | yes | 1 | 0 |
| A | 18.233.5.221 | yes |
The non-www entry is missing. But that's simple, add the same CNAME entry. Currently, the non-www doesn't has an ip address, so you can't use http-01 validation with that domain name.
There is the same (~~ good) picture:
| Domainname | Http-Status | redirect | Sec. | G |
|---|---|---|---|---|
| • http://www.acceleratedenglish.com/ | ||||
| 18.233.5.221 | 200 | 0.213 | H | |
| • https://www.acceleratedenglish.com/ | ||||
| 18.233.5.221 | -2 | 1.313 | V | |
| ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 18.233.5.221:443 | ||||
| • http://www.acceleratedenglish.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de | ||||
| 18.233.5.221 | 404 | 0.210 | A | |
| Not Found |
http works, https looks like a firewall.
I don't know enough about Bitnami.
But: Have these two domains the same content? Or do they have different content?
If there are different vHosts, you can create two different certificates (one per domain with non-www and www). That's already a SAN-certificate.
And your usage of CNAME is untypical. You could add explicit A entries
www.acceleratedenglish.com -> 18.233.5.221
but you can use CNAME.
Thank you for your assistance!
I am not sure how to correct the apache errors. I must have by using certbot reconfigured apache2. I'm getting this error:
[Thu May 02 01:22:47.839710 2019] [core:warn] [pid 2183] AH00111: Config variable ${APACHE_LOCK_DIR} is not defined
[Thu May 02 01:22:47.839843 2019] [core:warn] [pid 2183] AH00111: Config variable ${APACHE_PID_FILE} is not defined
[Thu May 02 01:22:47.839893 2019] [core:warn] [pid 2183] AH00111: Config variable ${APACHE_RUN_USER} is not defined
[Thu May 02 01:22:47.839954 2019] [core:warn] [pid 2183] AH00111: Config variable ${APACHE_RUN_GROUP} is not defined
[Thu May 02 01:22:47.840012 2019] [core:warn] [pid 2183] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Thu May 02 01:22:47.849465 2019] [core:warn] [pid 2183:tid 140048898852736] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Thu May 02 01:22:47.849687 2019] [core:warn] [pid 2183:tid 140048898852736] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Thu May 02 01:22:47.849758 2019] [core:warn] [pid 2183:tid 140048898852736] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
AH00526: Syntax error on line 74 of /etc/apache2/apache2.conf:
Invalid Mutex directory in argument file:${APACHE_LOCK_DIR}
I added the simple A record I missed for acceleratedenglish.com (non-www)
I will continue to work on this but because I would like to fix it for learning purposes but I can always start a new instance and start over 
Bitnami comes with its own copy of Apache.
This command that you ran:
sudo apt-get update sudo apt-get install certbot python-certbot-apache
installs Certbot with its Apache plugin from Ubuntu’s repository. But the package manager doesn’t know about Bitnami’s Apache, so it pulls in Ubuntu’s Apache as a dependency of the plugin. Now you have two Apache’s and they are probably interfering with each other 
I’d recommend removing certbot and its dependencies by typing:
sudo apt-get remove --auto-remove certbot
and then either try again with Bitnami’s integrated solution, or if you want to use certbot, download certbot-auto instead and use that.
Well I shut that instance down and started over now I have a new error.
acme: Error -> One or more domains had a problem:
[www.langaugeaccelerant.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.langaugeaccelerant.com, url:Error: Something went wrong when running the following command:
$ "$LEGO_BIN" --path "/opt/bitnami/letsencrypt" --tls --email="${email}" ${domain_args} run
I am trying to get a SAN cert for 4 domain names:
sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m englishaccelerant@gmail.com -d languageaccelerant.com -d www.langaugeaccelerant.com -d englishaccelerant.com -d www.englishaccelerant.com -d spanishaccelerant.com -d www.spanishaccelerant.com
thanks again for any help.
post edit:
How ironic that my error was a misspell haha!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.