Trying to add second site to Cert, creating a conflict

matthewcole805 · May 25, 2021, 8:43am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 1. matthewalbertcole.com
2. pdxwater.org

I ran this command: sudo certbot --apache -d pdxwater.org -d www.pdxwater.org

It produced this output: The selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration.
VirtualHost not able to be selected.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: DigitalOcean.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.15.0

Osiris · May 25, 2021, 9:00am

Interesting error I haven't seen that one before I think.

Let's have a closer look at your Apache configuration. Could you share the output of the following command please?

sudo apachectl -S

matthewcole805 · May 25, 2021, 9:18am

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server www.matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
         port 443 namevhost www.matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
         port 443 namevhost matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:12)
*:80                   matthewalbertcole.com/ (/etc/apache2/sites-enabled/matthewalbertcole.com.conf:1)
*:81                   pdxwater.org/ (/etc/apache2/sites-enabled/pdxwater.org.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33```

Osiris · May 25, 2021, 9:22am

Hm, interesting. I'm seeing two remarkable things in your configuration:

You're using port 81 for the pdxwater.org hostname, which is probably why certbot can't figure out the VHosts properly. Why are you running it on port 81 and not on port 80?
Your port 80 and 81 virtualhosts (matthewalbertcole.com resp. pdxwater.org) have a slash (/) behind the hostname? That's odd as a slash is not part of a hostname.. Why are those slashes there?

matthewcole805 · May 25, 2021, 9:23am

I tried port 81 as a fix to the error, but it didn't solve it. I thought maybe the port being already used by the first site was causing the conflict. I'll remove the slashes too. I saw that on a previous config for another server of mine, so I inserted those for continuity.

Osiris · May 25, 2021, 9:30am

It might also be necessary to add the www hostname as a ServerAlias directive in pdxwater.org.conf.

Although it seems that wasn't necessary for matthewalbertcole.com it seems. That said I think it's "best" to have subdomains which behave the same as the "apex domain" to be aliasses. That would look like this in an apachectl -S output:

         port 80 namevhost example.com (/etc/apache2/vhosts.d/vhosts/example.com.conf:1)
                 alias www.example.com

And in the configuration file it would look like:

        ServerName example.com
        ServerAlias www.example.com

Ideally, your apachectl -S output would read:

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
         port 443 namevhost matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
                  alias www.matthewalbertcole.com
*:80                   is a NameVirtualHost
         default server matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com.conf:1)
         port 80 namevhost matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com.conf:1)
                  alias www.matthewalbertcole.com
         port 80 namevhost pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org.conf:1)
                  alias www.pdxwater.org

(Personally, I have the preference of using the apex domain as the main virtualhost name and having the www subdomain as an alias.)

matthewcole805 · May 25, 2021, 9:48am

Not sure why, but removing the forward slashes seems to have solved the problem.

Also, I removed that top error by setting the Servername to 127.0.0.1 in the apache2.conf

I have the alias in a separate section with permanent redirect in *:443 on recommendation from letsencrypt on another project.

Here is the new output:

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server www.matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
         port 443 namevhost www.matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:2)
         port 443 namevhost matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com-le-ssl.conf:12)
         port 443 namevhost www.pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf:2)
         port 443 namevhost pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org-le-ssl.conf:12)
*:80                   is a NameVirtualHost
         default server matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com.conf:1)
         port 80 namevhost matthewalbertcole.com (/etc/apache2/sites-enabled/matthewalbertcole.com.conf:1)
                 alias www.matthewalbertcole.com
         port 80 namevhost pdxwater.org (/etc/apache2/sites-enabled/pdxwater.org.conf:1)
                 alias www.pdxwater.org
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

matthewcole805 · May 25, 2021, 10:06am

I'm curious if this is wrong, too:
in *80 I have:

#ProxyPass / https://localhost:8080/
#ProxyPassReverse / localhost:8080/

and in *443

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

Osiris · May 25, 2021, 10:22am

That looks lovely! Although you still have two <VirtualHost *:443> sections for matthewalbertcole.com and www.matthewalbertcole.com in stead of a single section with ServerName and ServerAlias. The same goes for pdxwater.org and www.pdxwater.org, although those virtualhosts should have been generated by certbot automatically.. Not sure why certbot would have decided to make a single port 80 virtualhost with ServerName and ServerAlias into two separate VirtualHost sections..

But this shouldn't impair the functionality of both.

After you got HTTPS working on port 443, the only function of the *:80 virtualhosts is to redirect from HTTP (port 80) to HTTPS (port 443), so indeed there's no need for thsoe ProxyPass directives. By commenting them out, they have been disabled, as they should be for HTTP (port 80).

I'm guessing those ProxyPass directives are functional and they are active on the HTTPS virtualhost (no commenting character in front of them), so that seems to be good Assuming you actually want to have that ProxyPass

I do see a HTTP 503 Service Unavailable when I connect to your site, so not sure if there's anything active on port 8080 on your server? Do you know why you have those ProxyPass directives set up in the first place? Maybe your pdxwater.org site doesn't run on Apache itself, but on some other server software? Node.js? Ruby? Tomcat? Anything running on port 8080?

matthewcole805 · May 26, 2021, 10:40am

thank you for the insight regarding the proxypass.
Regarding the site unavailable, at the time you checked, the web app wasn't running yet. It should be working now. Thank you for your help. You guys are amazing.

Osiris · May 26, 2021, 10:45am

It is, all good now.

system · June 25, 2021, 10:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.