Two domains on one IP address - from HTTP to HTTPS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://crt.sh/?q=www.prominenthair.hr and https://crt.sh/?q=www.salonkristina.hr

I ran this command: I haven’t ran anything yet but I will explain in the output field what I want to accomplish. Before I do any changes I want to be sure I’m doing it good.

It produced this output: I have 1 domain with SLL certificate, and another domain (that I activated recently) without SSL. Both domains are on one IP address. I want to switch from HTTP to HTTPS on that second domain (salonkristina.hr).
I just wanted to ask what are the constraints (if any) and what I should pay attantion before doing any chages? Should I just follow steps on e.g. “zerossl”?
I just wanna make sure I won’t mess up something. Thank you in advance

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Putty + WinSCP

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

You should be able to do what you intend without much trouble.
Apache 2.4.18 supports SNI which is the only real requirement to support HTTP, or HTTPS, for multiple names on the same IP.
[you are probably already serving multiple HTTP sites there - HTTPS is only adding TLS to an HTTP config (and changing the port to 443)]

You should consider automation into your design/setup.
Using “zerossl” may work but might be a very “manual” process [that will have to be repeated every 90 days (or less)].
Consider using an ACME client that can also renew your certs automatically (before they expire).

The first step should be to insure that each domain name is being correctly and independently handled (in HTTP).
Note: Domain names may also include their “www” spelling.
Try reviewing the output of:
apachectl -S

2 Likes

Hi rg305, this is the output I’ve got:
VirtualHost configuration:
*:443 is a NameVirtualHost
default server prominenthair.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost prominenthair.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost prominenthair.hr (/etc/apache2/sites-enabled/prominenthair.hr.conf:6)
alias www.prominenthair.hr
*:80 is a NameVirtualHost
default server prominenthair.hr (/etc/apache2/sites-enabled/prominenthair.hr.conf:1)
port 80 namevhost prominenthair.hr (/etc/apache2/sites-enabled/prominenthair.hr.conf:1)
port 80 namevhost salonkristina.hr (/etc/apache2/sites-enabled/salonkristina.hr.conf:1)
alias www.salonkristina.hr
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

I would also add that the first domain (with HTTPS) is a Wordpress website, and the other domain just plain html+css static website without a database.

Some further instructions would be really appreciated because I have no clue what I should be doing next. Thank you in advance

I am familiar with ACME though…

1 Like

This seems conflicting; as the same name appears in more than one vhost config file:

As for the second name, you should be able to use certbot to create the HTTPS vhost config file for you from the present HTTP vhost config file.

2 Likes

Ok. I looked inside the two files and they are different regarding content:

000-default-le-ssl.conf
< IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerName prominenthair.hr
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/prominenthair.hr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/prominenthair.hr/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
< /VirtualHost>
< /IfModule>

prominenthair.hr.conf
<VirtualHost *:80>
ServerName prominenthair.hr
Redirect permanent / https://prominenthair.hr/
< /VirtualHost>

<VirtualHost *:443>
ServerAdmin mario.orlovac@gmail.com
ServerName prominenthair.hr
ServerAlias www.prominenthair.hr
DocumentRoot /var/www/html

    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/www.prominenthair.hr/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.prominenthair.hr/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/www.prominenthair.hr/chain.pem

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =prominenthair.hr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
< /VirtualHost>

Is there a way to merge or transfer settings from one conf file to another, and how should I do that?

1 Like

Manually, using a text editor.

1 Like

Sorry, now I see that the copy/paste I made into the text editor didn’t capture all the content so I edited my last post again.

What makes the difference is:
< IfModule mod_ssl.c>
and the content inside (especially SSL part)

That’s why I asked you how should I structure this data into one .conf file?
Sorry if I annoy you, I hardly understand what’s going on here.

1 Like

This is probably the biggest hurdle.

You definitely don't need two vhost configs for the same name.
Furthermore you are probably getting unexpected results; as the server will go down the code and stop on the first match and never execute anything else (from the second match).

So you must have only one match.
This we agree on.

Which parts to move is up to you.
But if you are asking me, I would include all from both (removing any redundancy).
Start there and see how that goes.

2 Likes

Before I was going to do any changes I wanted to check once again
root@www:~# apachectl –S

But this time I’ve got this:
Usage: /usr/sbin/apache2 [-D name] [-d directory] [-f file]
[-C “directive”] [-c “directive”]
[-k start|restart|graceful|graceful-stop|stop]
[-v] [-V] [-h] [-l] [-L] [-t] [-T] [-S] [-X]
Options:
-D name : define a name for use in directives
-d directory : specify an alternate initial ServerRoot
-f file : specify an alternate ServerConfigFile
-C “directive” : process directive before reading config files
-c “directive” : process directive after reading config files
-e level : show startup errors of level (see LogLevel)
-E file : log startup errors to file
-v : show version number
-V : show compile settings
-h : list available command line options (this page)
-l : list compiled in modules
-L : list available configuration directives
-t -D DUMP_VHOSTS : show parsed vhost settings
-t -D DUMP_RUN_CFG : show parsed run settings
-S : a synonym for -t -D DUMP_VHOSTS -D DUMP_RUN_CFG
-t -D DUMP_MODULES : show all loaded modules
-M : a synonym for -t -D DUMP_MODULES
-t : run syntax check for config files
-T : start without DocumentRoot(s) check
-X : debug mode (only one worker, do not detach)
Action ‘–S’ failed.
The Apache error log may have more information.

Cuurently:
root@www:/etc/apache2/sites-available# ls
000-default.conf
000-default.conf.dpkg-dist
000-default-le-ssl.conf
default-ssl.conf
prominenthair.hr.conf
prominenthair.hr-le-ssl.conf
salonkristina.hr.conf

Any idea why ‘apachectl –S’ didn’t give the desired output, VirtualHost configuration?

1 Like

The -S in your command is not really a -S.
If you look really really really closely…
The “dash” in front of your S is really actually two dashes combined into one “dash type symbol”.
Try it with just one single dash.

1 Like

Yes, you were right with the -S.

I did what you suggested, so I merged the two into one .conf file where I left out some data:

000-default-le-ssl.conf

<IfModule mod_ssl.c>
</IfModule>

<VirtualHost *:80>
   ServerName prominenthair.hr
   Redirect permanent / https://prominenthair.hr/
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin mario.orlovac@gmail.com
        ServerName prominenthair.hr
        ServerAlias www.prominenthair.hr
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        SSLEngine on
        SSLCertificateFile    /etc/letsencrypt/live/www.prominenthair.hr/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.prominenthair.hr/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/www.prominenthair.hr/chain.pem

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =prominenthair.hr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

/etc/apache2/sites-available# apachectl -S
VirtualHost configuration:
*:443 prominenthair.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:9)
*:80 is a NameVirtualHost
default server prominenthair.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:4)
port 80 namevhost prominenthair.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:4)
port 80 namevhost salonkristina.hr (/etc/apache2/sites-enabled/salonkristina.hr.conf:1)
alias www.salonkristina.hr
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

/sites-available# ls
000-default.conf 000-default.conf.dpkg-dist 000-default-le-ssl.conf default-ssl.conf salonkristina.hr.conf

I guess now that part is solved, so now I can use certbot to create the HTTPS vhost config file for the second domain from the present HTTP vhost config file “salonkristina.hr.conf”?

Also, for some reason if you look closely with the sites-available output I got:
‘alias www.salonkristina.hr’
but there’s no ‘alias www.prominenthair.hr’ mentioned even though it’s defined in the conf. file WEIRD

1 Like

This is a rewrite to send all connections to HTTPS.
I should NOT be in the HTTPS section:

You are confusing "sites-available" with "sites-enabled".
Site must be "enabled" to be in use.

2 Likes

So I should just remove those three rows? It’s some kind of redundancy? (PS I just copied what I found in there)

“You are confusing “sites-available” with “sites-enabled”.” -> What do you mean by that?
All of the above conf. files were already enabled or have been enabled…

1 Like

The 3 lines should only go in the port 80 section (not in the port 443 section).

There are two folders:
…/sites-enabled/
…/sites-available/

You need to understand how your web server uses them.

2 Likes

I didn’t know about the two folders…i thought it’s one folder where after you’re happy with the file you just have to enable it and reload apache. I googled it so now I understand the subject a little more…

This Ok now?
000-default-le-ssl.conf

<IfModule mod_ssl.c>
</IfModule>

<VirtualHost *:80>
   ServerName prominenthair.hr
   ServerAlias www.prominenthair.hr
   DocumentRoot /var/www/html
   Redirect permanent / https://prominenthair.hr/

RewriteEngine on
RewriteCond %{SERVER_NAME} =prominenthair.hr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin mario.orlovac@gmail.com
        ServerName prominenthair.hr
        ServerAlias www.prominenthair.hr
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        SSLEngine on
        SSLCertificateFile    /etc/letsencrypt/live/www.prominenthair.hr/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.prominenthair.hr/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/www.prominenthair.hr/chain.pem

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

/etc/apache2/sites-enabled# ls
000-default-le-ssl.conf salonkristina.hr.conf

1 Like

Much better now.

But there are two enabled files and you only shows one.
So, I can’t speak about the other.

1 Like

That’s because we focused on the problem you mentioned in the first reply “This seems conflicting; as the same name appears in more than one vhost config file:”

Now, that this is solved I can focus on getting SSL for the second domain.

In the cerbot instruction there are steps described on how to get certificate for the first time…
But because I have this specific situation where one domain has SSL certificate, and the other not, can you please forward me to some more helpfull instructions?

You mentioned SNI + automation earlier…

1 Like

You can treat the second name as you did with the first name.
They should operate independent of each other.

1 Like

Juhuuu it’s enabled…this is what I was looking for:
sudo certbot --apache -d salonkristina.hr

Thank’s a lot! So now I only have to edit the .conf file for that domain?

1 Like

Cerbot should make new SSL file for that name.
Check in the sites-enabled folder.
or confirm with:
apachectl -S

2 Likes