Two domains mapped to the same IP

Help
1

Hello,

I have two domains mapped to the same host. I use ClouDNS to map both "marref.org" and "infinity-computer-systems.com" to the same IP address of my host in a virtual machine in Google Cloud Platform.

I started by certifying "infinity-computer-systems.com" using Let's Encrypt, and everything works like a charm. Then, if I connect to "marref.org" in a browser in my PC, my Bitdefender complains about mismatching certificates and that "marref.org" is potentially dangerous. I obviously do not want that.

I read here in other posts that it is possible to certify two domains sharing the same IP by either creating a virtual host for each one and generating two certificates, or grouping them in one virtual host and generating one certificate --- with the former being easier.

Not having enough knowledge in server configuration, I obviously opted for the first "easy choice"; but then I could not get things to work.

The following details what I did.

  1. I tried to brute force my way through the problem by calling sudo certbot --apache hoping that it magically does something but unsurprisingly it does nothing new. The command lists the already-certified domain "infinity-computer-systems.com".

  2. I added a second virtual host:

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot **hidden**
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <LocationMatch "^/(?!\.well-known)">
        #send all other requests to HTTPS
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>
  RewriteCond %{SERVER_NAME} =infinity-computer-systems.com
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot **hidden**
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <LocationMatch "^/(?!\.well-known)">
        #send all other requests to HTTPS
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>
  RewriteCond %{SERVER_NAME} =marref.org
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Then I called sudo certbot --apache -d marref.org and got this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.logRequesting a certificate for marref.orgCertbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems: Domain: marref.org Type: dns Detail: During secondary validation: No valid IP addresses found for marref.orgHint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.Some challenges have failed.Ask for help or search for solutions at [https://community.letsencrypt.org](https://community.letsencrypt.org/). See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

and here I am in the specified forum.

The following is letsencrypt.log.

2021-08-26 10:38:31,822:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-08-26 10:38:32,166:DEBUG:certbot._internal.main:certbot version: 1.18.0
2021-08-26 10:38:32,167:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1343/bin/certbot
2021-08-26 10:38:32,167:DEBUG:certbot._internal.main:Arguments: ['--apache', '-d', 'marref.org', '--preconfigured-renewal']
2021-08-26 10:38:32,167:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-08-26 10:38:32,181:DEBUG:certbot._internal.log:Root logging level set at 30
2021-08-26 10:38:32,182:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2021-08-26 10:38:32,278:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.41
2021-08-26 10:38:32,519:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7fd857f667c0>
Prep: True
2021-08-26 10:38:32,520:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7fd857f667c0> and installer <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7fd857f667c0>
2021-08-26 10:38:32,520:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2021-08-26 10:38:32,527:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/173166800', new_authzr_uri=None, terms_of_service=None), b6661e9952b702c78b511bad2f2cf7c6, Meta(creation_dt=datetime.datetime(2021, 8, 23, 21, 6, 28, tzinfo=<UTC>), creation_host='infcs-server.us-west4-b.c.infcs-323816.internal', register_to_eff=None))>
2021-08-26 10:38:32,528:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-08-26 10:38:32,530:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-08-26 10:38:32,692:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-08-26 10:38:32,692:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 26 Aug 2021 10:38:32 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "fWDB_CFdE24": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-08-26 10:38:32,699:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for marref.org
2021-08-26 10:38:32,864:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
2021-08-26 10:38:32,867:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
2021-08-26 10:38:32,868:DEBUG:acme.client:Requesting fresh nonce
2021-08-26 10:38:32,868:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-08-26 10:38:32,917:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-08-26 10:38:32,917:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 26 Aug 2021 10:38:32 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001m-kSS7v9mtg-82WqwRX8FLpHL9_nbj2pKoSCrYNHZBs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-08-26 10:38:32,918:DEBUG:acme.client:Storing nonce: 0001m-kSS7v9mtg-82WqwRX8FLpHL9_nbj2pKoSCrYNHZBs
2021-08-26 10:38:32,918:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "marref.org"\n    }\n  ]\n}'
2021-08-26 10:38:32,921:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTczMTY2ODAwIiwgIm5vbmNlIjogIjAwMDFtLWtTUzd2OW10Zy04Mldxd1JYOEZMcEhMOV9uYmoycEtvU0NyWU5IWkJzIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "w_7_gMz4omFG61sCG4J0s8RvKJ9WditVwe-HyLDgsKlzQX2fP3EBrb9fuBsk4_fXp2WgRKwvI1q9GEztwz7i9J-cOao-_XLTx6hASxz0h64JD9IN6Gn9-3vmcZ9zt_48faYz-dgn4RWPZpq0MOKX6EQQUCaKar4EIuOW9OIg7pFsEDaT7JdNHP-QZyyzIx03AW0mCSSFoNfIEbKXxhBVtLHfQMQaNguc5hUiuFU2ZnGLENsS_Bo_1x9qQ3CCXm8aaW5AnHrKzt2SvWDNSwEXSL1MeBgtkKLLuYMJYuJ1rjo8V0s85-rD0an5U5-I5dz7xquOTXymXOptCQPc7vfZyg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm1hcnJlZi5vcmciCiAgICB9CiAgXQp9"
}
2021-08-26 10:38:33,372:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 333
2021-08-26 10:38:33,373:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 26 Aug 2021 10:38:33 GMT
Content-Type: application/json
Content-Length: 333
Connection: keep-alive
Boulder-Requester: 173166800
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/173166800/19743073920
Replay-Nonce: 0001F3PSyB5YFkxQIksZq0ENXycJU14yeA-Y5jRF9Du-TDw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2021-09-02T10:38:33Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "marref.org"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/25260366840"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/173166800/19743073920"
}
2021-08-26 10:38:33,373:DEBUG:acme.client:Storing nonce: 0001F3PSyB5YFkxQIksZq0ENXycJU14yeA-Y5jRF9Du-TDw
2021-08-26 10:38:33,373:DEBUG:acme.client:JWS payload:
b''
2021-08-26 10:38:33,375:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/25260366840:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTczMTY2ODAwIiwgIm5vbmNlIjogIjAwMDFGM1BTeUI1WUZreFFJa3NacTBFTlh5Y0pVMTR5ZUEtWTVqUkY5RHUtVER3IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTI2MDM2Njg0MCJ9",
  "signature": "qJIbiSp0nZes6UeV7gBBr-Ig6Ully5eujya7_x4ueO-KsZTtQ9LDv35Hh3sGF-VmVg5EABQ3Mlf8M08IsgeVIg7DpNZhMdVqwt_DfU-GniMbLUdgVzF_4deblAft9i6BkH5Gsd4tWElAx8ZnJcd7PBGR1iOXIFlPlKTbM6YW2HIGi3P9-S-AdugNVa94C2CIxxZAxqh4djWpD0rD1P40n6VV8Sx2nAJ2U5UP79igXkJtUeaTnPbNyElE9Uh3f40ISVrqJqW6mAqqbeWc3JGU-POgroT9av4gt0ROUO6iPHSIjfWa1w6BRZDVZ9pd9RMaf8ZJma4cnleMnDvA8WD8Ow",
  "payload": ""
}
2021-08-26 10:38:33,498:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25260366840 HTTP/1.1" 200 791
2021-08-26 10:38:33,499:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 26 Aug 2021 10:38:33 GMT
Content-Type: application/json
Content-Length: 791
Connection: keep-alive
Boulder-Requester: 173166800
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001ncOjix3RUbPMQSFCLtmpNTUjymkFTN6RLU8M2TlY77U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "marref.org"
  },
  "status": "pending",
  "expires": "2021-09-02T10:38:33Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/vYnM7Q",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/4IzPbw",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/-rJZfw",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    }
  ]
}
2021-08-26 10:38:33,499:DEBUG:acme.client:Storing nonce: 0001ncOjix3RUbPMQSFCLtmpNTUjymkFTN6RLU8M2TlY77U
2021-08-26 10:38:33,500:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-08-26 10:38:33,500:INFO:certbot._internal.auth_handler:http-01 challenge for marref.org
2021-08-26 10:38:33,507:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: None in: /etc/apache2/sites-enabled/000-default.conf
2021-08-26 10:38:33,507:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: None in: /etc/apache2/sites-enabled/000-default.conf
2021-08-26 10:38:33,507:DEBUG:certbot_apache._internal.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
2021-08-26 10:38:33,507:DEBUG:certbot_apache._internal.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
2021-08-26 10:38:33,524:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/000-default.conf
2021-08-26 10:38:36,702:DEBUG:acme.client:JWS payload:
b'{}'
2021-08-26 10:38:36,704:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/vYnM7Q:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTczMTY2ODAwIiwgIm5vbmNlIjogIjAwMDFuY09qaXgzUlViUE1RU0ZDTHRtcE5UVWp5bWtGVE42UkxVOE0yVGxZNzdVIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8yNTI2MDM2Njg0MC92WW5NN1EifQ",
  "signature": "XiADCjP9OSdozaywnxO0kLVGBeWxQL1MDvQWX147A0zgqyanXxFtudAWAigvGfKI-745qvv4A4sG_cCKZzXO2ygFg64IazTheKkj889uX6c6ilBr9iQQlj8yR9VSFxltbejHKaG_-v1KDfseAw73QqN41H2ZOEwJ2m8txGqlQ6IOcEiKTq0-jtzXPmwtXxtVUJ1xeM8BXMsdCQkRM1sHA_pzABCpOou6qReYaA6Ak4I2YqKzpXD6S8ycwYIw5-r6ZT3nIuc3M6-2g6bL38i3sIGxBB23Qb26akPA5MpDWcqu3R0bPvWpPsfixXRz56fpDZ-F4SegInEq9r405eDYSQ",
  "payload": "e30"
}
2021-08-26 10:38:36,796:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/25260366840/vYnM7Q HTTP/1.1" 200 186
2021-08-26 10:38:36,796:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 26 Aug 2021 10:38:36 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 173166800
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/25260366840>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/vYnM7Q
Replay-Nonce: 0002xExNX48xh0VSPEx4jKZJsfluITm4Jf1SlhOfmh0G_lw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/vYnM7Q",
  "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
}
2021-08-26 10:38:36,797:DEBUG:acme.client:Storing nonce: 0002xExNX48xh0VSPEx4jKZJsfluITm4Jf1SlhOfmh0G_lw
2021-08-26 10:38:36,797:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-08-26 10:38:37,798:DEBUG:acme.client:JWS payload:
b''
2021-08-26 10:38:37,799:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/25260366840:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTczMTY2ODAwIiwgIm5vbmNlIjogIjAwMDJ4RXhOWDQ4eGgwVlNQRXg0aktaSnNmbHVJVG00SmYxU2xoT2ZtaDBHX2x3IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTI2MDM2Njg0MCJ9",
  "signature": "ysyUk8R3YqDwJZ_bINoIod1HTRNeybTOFA8P_3SdWFfC6qQT94UaWbDH0XG67g1cnHpi6V574fUDUWI_thVCtSxongY9sjyjmqrWyrRl85-W-UbLMwk4qllBvqARdMNqKL46z6NnIvEePLrdP1ZLdFQtnXuTFtQVUKiufwffkh0QwEhLySoKO6eyCFXci2JSs-ijngQ600CmBbemjs5Nt9XYsW-DYnM8I1qBsx_6NYcc7HrMOQJffMoNWgQmbhUMqRkVN_DKfHv_OjC8R6RgVZhZV3aaRcljiVfb82ZISc2AtnkaTiihkAZPZb2QLvl5CxO-zes_38GhB9-fd0s2Vg",
  "payload": ""
}
2021-08-26 10:38:37,854:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25260366840 HTTP/1.1" 200 791
2021-08-26 10:38:37,854:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 26 Aug 2021 10:38:37 GMT
Content-Type: application/json
Content-Length: 791
Connection: keep-alive
Boulder-Requester: 173166800
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00028vFwJittRxvDmy9MovAYeWv31F-dWOJkX0O8Ez0bYV4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "marref.org"
  },
  "status": "pending",
  "expires": "2021-09-02T10:38:33Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/vYnM7Q",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/4IzPbw",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/-rJZfw",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    }
  ]
}
2021-08-26 10:38:37,855:DEBUG:acme.client:Storing nonce: 00028vFwJittRxvDmy9MovAYeWv31F-dWOJkX0O8Ez0bYV4
2021-08-26 10:38:40,858:DEBUG:acme.client:JWS payload:
b''
2021-08-26 10:38:40,860:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/25260366840:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTczMTY2ODAwIiwgIm5vbmNlIjogIjAwMDI4dkZ3Sml0dFJ4dkRteTlNb3ZBWWVXdjMxRi1kV09Ka1gwTzhFejBiWVY0IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTI2MDM2Njg0MCJ9",
  "signature": "6bgW1xCMdJMG79opVHm8nghRsUn4v9G44_0HL08pAzC8l2v0QCZfFQ_cmUb1byddnM6KDGkPkNpdGwBO9b6TU3i1e4gP5sRv4DFIDPY1FHdv881kUN1oRg_Ff_-IRlVOmRvv_fsR9qd-Pn4K8owi0Hdug_hQcrKMSXaZNNtKPimmJidmHGDVGojV8hY2nHO2QcMGnltnXVfG2HLSrKeSpQCKXzDDwIg2Yyn4loK6VxWy0TSXeI2RNipj2hPGROtsw7dp3C_I_HtxsNDCW5W1XK-tIViL8yGZgVmoqntTBUHoNSjHlh39VYw2rSiwYuiVsctpCIfciPUWtsXRcvP2aQ",
  "payload": ""
}
2021-08-26 10:38:40,945:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25260366840 HTTP/1.1" 200 791
2021-08-26 10:38:40,945:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 26 Aug 2021 10:38:40 GMT
Content-Type: application/json
Content-Length: 791
Connection: keep-alive
Boulder-Requester: 173166800
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001Zyi8_J5kvZOrbik7mE9Pkle3B5nBQKblBgw3CwQQr_w
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "marref.org"
  },
  "status": "pending",
  "expires": "2021-09-02T10:38:33Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/vYnM7Q",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/4IzPbw",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/-rJZfw",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    }
  ]
}
2021-08-26 10:38:40,945:DEBUG:acme.client:Storing nonce: 0001Zyi8_J5kvZOrbik7mE9Pkle3B5nBQKblBgw3CwQQr_w
2021-08-26 10:38:43,949:DEBUG:acme.client:JWS payload:
b''
2021-08-26 10:38:43,951:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/25260366840:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTczMTY2ODAwIiwgIm5vbmNlIjogIjAwMDFaeWk4X0o1a3ZaT3JiaWs3bUU5UGtsZTNCNW5CUUtibEJndzNDd1FRcl93IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTI2MDM2Njg0MCJ9",
  "signature": "oWdeadtvUAfZxMY9l6CThBRuVLqgMaj9v9rDbJN625qiPNqyT-Uu6dGO5DkIihfr1RxslXfmWy2lyv7J1FpV3kE9KSkuaFAfdVg8ASbrmOEUJqT-RkkBntAi-_rxrSd9k9oWl7r9fD2SBqXUYdGXkUqDjUq8zcablX_vZsUoZW77c1MZft6QjkEaNgYNAeAvWZGlXcYvGvsFR0PIo7_5j7isXK4TcfirwRP5C974G4Bgd1rubZGZ39RXtAMms9IlOJWNIgmjLa9T6oZYCh7sM-NeV9XJilTva19KLJBDezNOEyYPBHK5LARDvNXsvqmFaSnqfRWuFwFyjXkpmjXBcg",
  "payload": ""
}
2021-08-26 10:38:44,034:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25260366840 HTTP/1.1" 200 791
2021-08-26 10:38:44,034:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 26 Aug 2021 10:38:44 GMT
Content-Type: application/json
Content-Length: 791
Connection: keep-alive
Boulder-Requester: 173166800
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00029iljSUJJAx6pTa0m4S9ptf0mNW3ategqZ39MCeLV9QQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "marref.org"
  },
  "status": "pending",
  "expires": "2021-09-02T10:38:33Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/vYnM7Q",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/4IzPbw",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/-rJZfw",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw"
    }
  ]
}
2021-08-26 10:38:44,034:DEBUG:acme.client:Storing nonce: 00029iljSUJJAx6pTa0m4S9ptf0mNW3ategqZ39MCeLV9QQ
2021-08-26 10:38:47,038:DEBUG:acme.client:JWS payload:
b''
2021-08-26 10:38:47,040:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/25260366840:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTczMTY2ODAwIiwgIm5vbmNlIjogIjAwMDI5aWxqU1VKSkF4NnBUYTBtNFM5cHRmMG1OVzNhdGVncVozOU1DZUxWOVFRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTI2MDM2Njg0MCJ9",
  "signature": "TqPKRAd6P8rGDk4n1c6woRMzZmfuDqG9DBIYJgUlP5tJi6XJK08m0QkReHnDxG4L9ASZx-I7Y78JrAeCtifChUgZWT-TCfMweEqq_DnruBLPkKJejgP3Scxit08_jF8dTC-EH7YDIlKpg8ecZWLs4mk2oLwVosL6f__oazjCNquPnAzM3jojC-UgOgDztc4JIVpPs2IqPBfIdLHmkOyxpk7XgTATJ6_BKWStynnBSN4JMmYOLcHGRVebd0cUWtjIToaunDK6b04d4TCMC5NCsgTek429vBo06_LzsrL9nBOK15HxmJJhzKGhlmlmzotRqgXusoB9GalpfmgSc8_aXQ",
  "payload": ""
}
2021-08-26 10:38:47,104:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25260366840 HTTP/1.1" 200 937
2021-08-26 10:38:47,105:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 26 Aug 2021 10:38:47 GMT
Content-Type: application/json
Content-Length: 937
Connection: keep-alive
Boulder-Requester: 173166800
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001mBnlwabEJe42DMqA3_I23nZDKTB67VA0sNwr62jD6sE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "marref.org"
  },
  "status": "invalid",
  "expires": "2021-09-02T10:38:33Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "During secondary validation: No valid IP addresses found for marref.org",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/25260366840/vYnM7Q",
      "token": "_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw",
      "validationRecord": [
        {
          "url": "http://marref.org/.well-known/acme-challenge/_vAt3WJO3Gd3b1SKEhJCzYRez0xe5EajHhAY_COoqRw",
          "hostname": "marref.org",
          "port": "80",
          "addressesResolved": [
            "34.125.24.60"
          ],
          "addressUsed": "34.125.24.60"
        }
      ],
      "validated": "2021-08-26T10:38:36Z"
    }
  ]
}
2021-08-26 10:38:47,105:DEBUG:acme.client:Storing nonce: 0001mBnlwabEJe42DMqA3_I23nZDKTB67VA0sNwr62jD6sE
2021-08-26 10:38:47,105:INFO:certbot._internal.auth_handler:Challenge failed for domain marref.org
2021-08-26 10:38:47,106:INFO:certbot._internal.auth_handler:http-01 challenge for marref.org
2021-08-26 10:38:47,106:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: marref.org
  Type:   dns
  Detail: During secondary validation: No valid IP addresses found for marref.org

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2021-08-26 10:38:47,107:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-08-26 10:38:47,107:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-08-26 10:38:47,108:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-08-26 10:38:47,357:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1343/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/main.py", line 1566, in main
    return config.func(config, plugins)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/main.py", line 1280, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/main.py", line 128, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/client.py", line 456, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/client.py", line 386, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/client.py", line 436, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-08-26 10:38:47,359:ERROR:certbot._internal.log:Some challenges have failed.

The following is my /etc/apache2/sites-enabled/000-default-le-ssl.conf.

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerAdmin webmaster@localhost
  DocumentRoot **hidden**
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
#  <LocationMatch "^/(?!\.well-known)">
        #send all other requests to HTTPS
#       RewriteEngine On
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
#       RewriteCond %{HTTPS} !=on
#       RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
#  </LocationMatch>
#   RewriteCond %{SERVER_NAME} =infinity-computer-systems.com
#   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ServerName infinity-computer-systems.com
SSLCertificateFile /etc/letsencrypt/live/infinity-computer-systems.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/infinity-computer-systems.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

So could you please let me know how can I add marref.org with its own certificate to my machine?

Many thanks,
Amine.

1 Like
2

I'm confused.
apache vhost config and in the log file:

HTTP 201
Server: nginx
Date: Thu, Aug 26, 2021 10:38:33 GMT

1 Like
3

From the machine:

$ nginx --version
Command 'nginx' not found, but can be installed with:
apt install nginx-core    # version 1.18.0-0ubuntu1.2, or
apt install nginx-extras  # version 1.18.0-0ubuntu1.2
apt install nginx-full    # version 1.18.0-0ubuntu1.2
apt install nginx-light   # version 1.18.0-0ubuntu1.2
Ask your administrator to install one of them.
4

I'm not sure because I use redirect and not rewrite.
is the server name missing in port 80 config?

1 Like
5

I did not quite get your question. I am no expert in this, so which server name? is this supposed to be a variable in the virtual host entry?

6

sry, i shouldn't answer if i didn't understand the log.
I have to think about no valid ip.

1 Like
7

This step likely fails because neither of the vhosts has a ServerName directive.
So it "worked" for the first domain simply because there was no other for Apache to choose from.
Once a second was introduced, then the ServerName must be matched, or the default (first one) would be used in both cases.
So, why does that fail?
Well, I suspect [despite the fact that you hid the DocumentRoots (which is OK)] that they are not using the same one. So, only one will work; as the other will never be reached.

This is an even bigger problem.
DNS needs to always be fully functional [Regardless of which authentication method is being used].

1 Like
8

Those are logged entries of the responses given by the accesses to:
https://acme-v02.api.letsencrypt.org/*
[LE uses nginx - those will always be in the logs]

1 Like
9

The two virtual hosts have exactly the same folder in DocumentRoot.
What do I need to specify for ServerName? an IP? They will be both have the same IP then.

To be honest I am lost.

1 Like
10

Lines like this one:

[found in the secured vhost config]

But, if both are using the same root, then you don't really need two vhosts.
You only need to address the redirection properly to forward both names within a single file.

1 Like
13

Try just one file:

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot **hidden**   <<<<<<<<<<<<< unhide this first <<<<<<<<<<<<<
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <LocationMatch "^/(?!\.well-known)">
        #send all other requests to HTTPS   <<<< I recognize my handwriting - LOL
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>
  RewriteEngine On  # <<<<<<<<<<<<<<< maybe add this line in too <<<<<<<<<<
  RewriteCond %{SERVER_NAME} =infinity-computer-systems.com [OR]
  RewriteCond %{SERVER_NAME} =marref.org
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Or replace these four lines

  RewriteEngine On
  RewriteCond %{SERVER_NAME} =infinity-computer-systems.com [OR]
  RewriteCond %{SERVER_NAME} =marref.org
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

with just:
return permanent / https://%{SERVER_NAME}%{REQUEST_URI}

[Note: That will redirect any/all request to HTTPS (other than challenge requests handled above)]

2 Likes
14

Cheers!
If I am not daydreaming, now it works perfectly after adding the ServerName to both vhosts.

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot ****
  ServerName infinity-computer-systems.com
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <LocationMatch "^/(?!\.well-known)">
        #send all other requests to HTTPS
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>
  RewriteCond %{SERVER_NAME} =infinity-computer-systems.com
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot ****
  ServerName marref.org
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <LocationMatch "^/(?!\.well-known)">
        #send all other requests to HTTPS
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>
  RewriteCond %{SERVER_NAME} =marref.org
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

I am able to connect to marref.org without the mismatch warning.

But the file /etc/apache2/sites-enabled/000-default-le-ssl.conf remains the same and hardly talks about marref.org. Is this ok?

I have just seen a later post by you regarding using a single file. Thanks a lot for that. That will definitely be more appropriate. For the time being I will keep two vhosts in case I change my mind and decide to have two separate websites.

1 Like
15

You might want to use a new and specifically dedicated root for these challenge requests.

1 Like
16

It was excitement.

2 Likes
17

No; probably not.
Not unless both domains use the exact same DocumentRoot and certificate.
Please show the output of:
certbot certificates

1 Like
18

I get this:

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: infinity-computer-systems.com
    Serial Number: 4059f85a01bb616063bdce93458d71aa6e7
    Key Type: RSA
    Domains: infinity-computer-systems.com
    Expiry Date: 2021-11-21 21:06:45+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/infinity-computer-systems.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/infinity-computer-systems.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Like
20

Ok, so there hasn't been a certificate yet created for the second site.

Let's try that now, with:

I'd add in --dry-run too (while we test)
So:
sudo certbot --apache -d marref.org --dry-run

1 Like
21

A certificate has been generated for marref.org and now the file /etc/apache2/sites-enabled/000-default-le-ssl.conf has two vhosts inside it :slight_smile:

1 Like
22

Now infinity-software-systems.com is reported as suspicious because of certificate mismatch.

1 Like
23

Please show this file:

Is that spelled correctly?:
image
Global DNS returns:
can't find infinity-software-systems.com: Non-existent domain

1 Like