The certificate is only valid for www version of the website - Mozilla Firefox

Help
1

Hi,

So I just renewed by SSL for my website and noticed something wrong. I hardly use Firefox so I had not previously noticed it.

When I type the non-WWW version of my domain or any URL un the website, it correctly redirects to its www version (I have set-up 301-redirect).

However, I noticed today that this does not happen on Firefox and Safari.

Instead, Firefox gives me an SSL error!

I tried checking my SSL online and found this:

WWW Version of the website: Everything fine
Non-WWW version of the site: “None of the common names in the certificate match the name that was entered (northeastexplorers.in). You may receive an error when accessing this site in a web browser. It looks like you just need to add the “www.” when accessing the site with SSL.Learn more about name mismatch errors.”

Not sure what I am doing wrong.

Any quick help here would be really appreciated.

All the relevant details are given below:

My domain is: northeastexplorers.in

I ran this command: `sudo /opt/bitnami/letsencrypt/lego --email="my@email.me" --domains=“www.northeastexplorers.in” --path="/opt/bitnami/letsencrypt/" renew

sudo /opt/bitnami/letsencrypt/lego --email="my@email.me" --domains=“northeastexplorers.in” --path="/opt/bitnami/letsencrypt/" renew`

It produced this output: Certificates successfully issued

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 16.04
My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): lego 2.2.0

1 Like
2

Hi @hackernewbie, welcome to the community forum :wave:

Can you share your Apache configuration in this thread? You can use apachectl -S to dump it.

This would be issuing two certificates: one covering the subject domain northeastexplorers.in and one covering the domain www.northeastexplorers.in.

Typically for this situation you would instead want one certificate that covers both northeastexplorers.in and www.northeastexplorers.in.

2 Likes
3

Thank you @cpu

Here’s the output:

$ apachectl -S
VirtualHost configuration:
*:80                   localhost (/opt/bitnami/apache2/conf/bitnami/bitnami.conf:8)
*:443                  localhost (/opt/bitnami/apache2/conf/bitnami/bitnami.conf:43)
ServerRoot: "/opt/bitnami/apache2"
Main DocumentRoot: "/opt/bitnami/apache2/htdocs"
Main ErrorLog: "/opt/bitnami/apache2/logs/error_log"
Mutex proxy-balancer-shm: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/opt/bitnami/apache2/logs/" mechanism=default 
PidFile: "/opt/bitnami/apache2/logs/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: USE_PHP_FPM
User: name="daemon" id=1 not_used
Group: name="daemon" id=1 not_used

Ok got it!

I was under the impression that I should indeed be having two different certificates here.

What would be the right way to do it then?

Thanks!

4

Apologies, I thought the -S would show more information. Can you also share the contents of the /opt/bitnami/apache2/conf/bitnami/bitnami.conf file?

I would try providing multiple --domains arguments in one lego invocation like:

sudo /opt/bitnami/letsencrypt/lego –email="my@email.me" --domains="northeastexplorers.in" --domains=“www.northeastexplorers.in” --path="/opt/bitnami/letsencrypt/" run
1 Like
5

Here’s the content of the bitnami.conf file:

    # Default Virtual Host configuration.

<IfVersion < 2.3 >
  NameVirtualHost *:80
  NameVirtualHost *:443
</IfVersion>

<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  <Directory "/opt/bitnami/apache2/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html

  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

# Default SSL Virtual Host configuration.

<IfModule !ssl_module>
  LoadModule ssl_module modules/mod_ssl.so
</IfModule>

Listen 443
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH !RC4"
SSLPassPhraseDialog  builtin
SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache2/conf/www.northeastexplorers.in.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/www.northeastexplorers.in.key"
            
  <Directory "/opt/bitnami/apache2/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html
        
  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

# Bitnami applications that uses virtual host configuration
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf"

I tried this:

sudo /opt/bitnami/letsencrypt/lego --email="me@myemail.me.me" --domains="northeastexplorers.in" --domains="www.northeastexplorers.in" --path="/opt/bitnami/letsencrypt/" run

The response is as follows, but it seems it did not solve the problem.

Still no SSL on Firefox.

sudo /opt/bitnami/letsencrypt/lego --email="me@myemail.me" --domains="northeastexplorers.in" --domains="www.northeastexplorers.in" --path="/opt/bitnami/letsencrypt/" run
2019/07/31 14:36:56 [INFO] [northeastexplorers.in, www.northeastexplorers.in] acme: Obtaining bundled SAN certificate
2019/07/31 14:36:57 [INFO] [northeastexplorers.in] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/Qeip3tVvzFcbuDu_b_SibSQ0peiJYvj3pQXQuGMgvC0
2019/07/31 14:36:57 [INFO] [www.northeastexplorers.in] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/kWOTgMk6LkxBBs3uobGnayr68PCXbYf6ayuTHLDMfdg
2019/07/31 14:36:57 [INFO] [northeastexplorers.in] acme: Authorization already valid; skipping challenge
2019/07/31 14:36:57 [INFO] [www.northeastexplorers.in] acme: Authorization already valid; skipping challenge
2019/07/31 14:36:57 [INFO] [northeastexplorers.in, www.northeastexplorers.in] acme: Validations succeeded; requesting certificates
2019/07/31 14:36:59 [INFO] [northeastexplorers.in] Server responded with a certificate.
6

That looks OK to me. It seems like lego was able to get the new certificate that covers both names.

Now you just have to update your Apache configuration to use that certificate.

I suspect these two lines need to be changed to point to the new combined certificate and the associated private key.

Can you share if there are other files in /opt/bitnami/apache2/conf/? Perhaps a .crt and .key file that have a newer modified date? If not can you also check /opt/bitnami/letsencrypt/? I'm not sure where Lego will have placed the new certificate.

As a note: I'm super unfamiliar with Bitnami :laughing: There might be a better way to approach updating the Apache configuration file in a Bitnami-specific way that I'm not aware of.

2 Likes
7

Here’s the content of the conf file.

drwxr-xr-x  5 bitnami root   4096 Feb 12 13:41 .
drwxr-xr-x 14 root    root   4096 Dec 21  2018 ..
drwxr-xr-x  2 bitnami root   4096 Feb 12 13:41 bitnami
-rw-r--r--  1 bitnami root    289 Dec 21  2018 deflate.conf
drwxr-xr-x  2 bitnami root   4096 Dec 21  2018 extra
-rw-r--r--  1 bitnami root  20149 Dec 21  2018 httpd.conf
-rw-r--r--  1 bitnami root  13077 Dec  8  2018 magic
-rw-r--r--  1 bitnami root  60847 Dec  8  2018 mime.types
-rw-r--r--  1 bitnami root   7413 Aug  2  2012 modsecurity.conf
lrwxrwxrwx  1 root    root     63 Feb 12 11:27 northeastexplorers.in.crt -> /opt/bitnami/letsencrypt/certificates/northeastexplorers.in.crt
lrwxrwxrwx  1 root    root     63 Feb 12 11:27 northeastexplorers.in.key -> /opt/bitnami/letsencrypt/certificates/northeastexplorers.in.key
drwxr-xr-x  3 bitnami root   4096 Dec 21  2018 original
-rw-r--r--  1 bitnami root  17447 Dec 21  2018 pagespeed.conf
-rw-r--r--  1 bitnami root 141034 Dec 21  2018 pagespeed_libraries.conf
-rw-r--r--  1 bitnami root    199 Dec 21  2018 php-fpm-apache.conf
-rw-r--r--  1 bitnami root   1834 Feb 12 07:21 privkey.pem
-rw-r--r--  1 root    root   1164 Feb 12 07:21 server.crt
-rw-r--r--  1 root    root    985 Feb 12 07:21 server.csr
-rw-r--r--  1 root    root   1679 Feb 12 07:21 server.key
-rw-r--r--  1 bitnami root    203 Dec 21  2018 ssi.conf
lrwxrwxrwx  1 root    root     67 Feb 12 13:41 www.northeastexplorers.in.crt -> /opt/bitnami/letsencrypt/certificates/www.northeastexplorers.in.crt
lrwxrwxrwx  1 root    root     67 Feb 12 13:41 www.northeastexplorers.in.key -> /opt/bitnami/letsencrypt/certificates/www.northeastexplorers.in.key

And below is the content of the letsencrypt folder:

/opt/bitnami/letsencrypt$ ls -all
total 22644
drwxr-xr-x  5 root root     4096 Feb 12 11:27 .
drwxr-xr-x 17 root root     4096 Feb 17 11:12 ..
drwx------  3 root root     4096 Feb 12 07:30 accounts
drwxr-xr-x  2 root root     4096 Feb 12 13:41 certificates
-rwxr-xr-x  1 root root 23166656 Nov  5  2018 lego
drwxr-xr-x  2 root root     4096 Dec 21  2018 scripts
bitnami@ip-:/opt/bitnami/letsencrypt$ cd certificates
bitnami@ip-:/opt/bitnami/letsencrypt/certificates$ ls -all
total 40
drwxr-xr-x 2 root root 4096 Feb 12 13:41 .
drwxr-xr-x 5 root root 4096 Feb 12 11:27 ..
-rw-r--r-- 1 root root 3612 Jul 31 14:36 northeastexplorers.in.crt
-rw------- 1 root root 1648 Jul 31 14:36 northeastexplorers.in.issuer.crt
-rw------- 1 root root  242 Jul 31 14:36 northeastexplorers.in.json
-rw-r--r-- 1 root root 1675 Jul 31 14:36 northeastexplorers.in.key
-rw-r--r-- 1 root root 3587 Jul 31 11:40 www.northeastexplorers.in.crt
-rw------- 1 root root 1648 Jul 31 11:40 www.northeastexplorers.in.issuer.crt
-rw------- 1 root root  246 Jul 31 11:40 www.northeastexplorers.in.json
-rw-r--r-- 1 root root 1679 Jul 31 11:40 www.northeastexplorers.in.key

I too am not sure about the best and safest way to update the conf files.

But for now, do you think the above helps ?

Thanks.

1 Like
8

Thanks for sharing that information. I think we have all the pieces we need to try a solution now.

I believe you’ll need to edit /opt/bitnami/apache2/conf/bitnami/bitnami.conf and change this part:

SSLCertificateFile "/opt/bitnami/apache2/conf/www.northeastexplorers.in.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/www.northeastexplorers.in.key"

to this:

SSLCertificateFile "/opt/bitnami/apache2/conf/northeastexplorers.in.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/northeastexplorers.in.key"

Afterwards you’ll need to reload/restart Apache. Probably you can do this with systemctl restart httpd or systemctl restart apache2 but I’m not positive.

I think that /opt/bitnami/apache2/conf/northeastexplorers.in.crt is a symlink to the new certificate that has both names. (My reasoning is that it has the newest modified date). If you want you can verify that by running:

openssl x509 -in /opt/bitnami/letsencrypt/certificates/northeastexplorers.in.crt -noout -text  | grep -A1 "X509v3 Subject Alternative Name"

It should show something like:

X509v3 Subject Alternative Name: 
                DNS:northeastexplorers.in, DNS:www.northeastexplorers.in
2 Likes
9

Fantastic @cpu!

This worked like a charm.

Just one extra bit from my end:

We use the following command to restart apache on Bitnami.

sudo /opt/bitnami/ctlscript.sh restart

Cheers!

2 Likes
10

Great! I'm glad to hear it. You might want to make sure that you have a cron job or systemd timer that will renew the certificate automatically. I don't know if Bitnami manages that for you or not but something will need to run this command every week or so (lego will only actually renew the certificate when it is near expiry):

/opt/bitnami/letsencrypt/lego --email="me@myemail.me.me" --domains="northeastexplorers.in" --domains="www.northeastexplorers.in" --path="/opt/bitnami/letsencrypt/" renew
2 Likes
11

No, Bitnami doesn’t.

My Crontab does. I will have to update it.

Thank you for the reminder :slight_smile:

2 Likes
12

By the way, this is because Chrome deliberately ignores this error by treating the www. and the base domain name as interchangeable for certificate validity purposes. Other browsers usually follow the traditional, stricter behavior, requiring that the exact form of the domain name must appear as a subject of the certificate.

2 Likes
13

Thanks for the information @schoen !

Now I know why it was looking good on Chrome.

2 Likes
14

Thanks for sharing that bit of info @schoen. It was news to me too. I hadn't given much thought to why the problem was occurring with the one browser and not the other.

1 Like
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.