Two domains on one IP address - from HTTP to HTTPS

Help
21

I have this now:

/etc/apache2/sites-enabled# ls
000-default-le-ssl.conf  salonkristina.hr.conf  salonkristina.hr-le-ssl.conf

Because inside ‘salonkristina.hr.conf’ I have defined data for port 80 and inside ‘salonkristina.hr-le-ssl.conf’ I have defined data for < IfModule mod_ssl.c> port 443.

And inside ‘000-default-le-ssl.conf’ I have defined data both for port 80 and port 443.
Do you think this is a problem when it comes to renewing cert?

/etc/apache2/sites-enabled# apachectl -S
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server prominenthair.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:15)
         port 443 namevhost prominenthair.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:15)
                 alias www.prominenthair.hr
         port 443 namevhost salonkristina.hr (/etc/apache2/sites-enabled/salonkristina.hr-le-ssl.conf:2)
                 alias www.salonkristina.hr
*:80                   is a NameVirtualHost
         default server prominenthair.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:4)
         port 80 namevhost prominenthair.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:4)
                 alias www.prominenthair.hr
         port 80 namevhost salonkristina.hr (/etc/apache2/sites-enabled/salonkristina.hr.conf:1)
                 alias www.salonkristina.hr
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

I tried dry run and seems fine though:

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/prominenthair.hr-0001/fullchain.pem (success)
  /etc/letsencrypt/live/prominenthair.hr/fullchain.pem (success)
  /etc/letsencrypt/live/salonkristina.hr/fullchain.pem (success)
  /etc/letsencrypt/live/www.prominenthair.hr/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
1 Like
22

No.
The config is glommed together and ingested as a whole.
The number of pieces (files) is irrelevant.

This is what is important:
[and it looks perfect]
image

Two sites with two names each and both in HTTP and HTTPS.

2 Likes
23

Thank you a lot! I tried the dry run and added the output to the reply. Seems great

2 Likes
24

Ok, one more problem left:

e.g. on Safari if I force http:

it automatically redirects me to https://

But when I try to acces from Facebook info or Instagram bio, with ‘http://www.salonkristina.hr’ it says: “The site security certificate is not trusted.”

Maybe this can help:
https://crt.sh/?q=salonkristina.hr
https://crt.sh/?q=www.salonkristina.hr
Do I need two certificates to handle both?

salonkristina.hr.conf

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/salonkristina
        ServerName salonkristina.hr
        ServerAlias www.salonkristina.hr
        Redirect permanent / https://salonkristina.hr/

        <Directory /var/www/salonkristina/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =prominenthair.hr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

salonkristina.hr-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin mario.orlovac@gmail.com
        DocumentRoot /var/www/salonkristina
        ServerName salonkristina.hr
        ServerAlias www.salonkristina.hr

        <Directory /var/www/salonkristina/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =prominenthair.hr
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
SSLCertificateFile /etc/letsencrypt/live/salonkristina.hr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/salonkristina.hr/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
1 Like
25

Something to fix:

That file has a bad redirect comparision check:

It would be simpler to use a single line to redirect all statement.
Like:

Here is an updated version of what you have now (delete 8 lines):

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/salonkristina
        ServerName salonkristina.hr
        ServerAlias www.salonkristina.hr
        Redirect permanent / https://salonkristina.hr/

        <Directory /var/www/salonkristina/>    #DELETE THIS LINE
            Options FollowSymLinks             #DELETE THIS LINE
            AllowOverride All                  #DELETE THIS LINE
            Require all granted                #DELETE THIS LINE
        </Directory>                           #DELETE THIS LINE

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on                                                        #DELETE THIS LINE
RewriteCond %{SERVER_NAME} =prominenthair.hr                            #DELETE THIS LINE
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] #DELETE THIS LINE

</VirtualHost>
2 Likes
26

I guess I should do the same changes here:

000-default-le-ssl.conf

<IfModule mod_ssl.c>
</IfModule>

<VirtualHost *:80>
   ServerName prominenthair.hr
   ServerAlias www.prominenthair.hr
   DocumentRoot /var/www/html
   Redirect permanent / https://prominenthair.hr/

   ErrorLog ${APACHE_LOG_DIR}/error.log            #ADD THIS MISSING LINE
   CustomLog ${APACHE_LOG_DIR}/access.log combined #ADD THIS MISSING LINE

RewriteEngine on                                                        #DELETE THIS LINE
RewriteCond %{SERVER_NAME} =prominenthair.hr                            #DELETE THIS LINE
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] #DELETE THIS LINE
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin mario.orlovac@gmail.com
        ServerName prominenthair.hr
        ServerAlias www.prominenthair.hr
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        SSLEngine on
        SSLCertificateFile    /etc/letsencrypt/live/www.prominenthair.hr/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.prominenthair.hr/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/www.prominenthair.hr/chain.pem

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

But the problem still remains even after changing the salonkristina.hr.conf.

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/salonkristina
        ServerName salonkristina.hr
        ServerAlias www.salonkristina.hr
        Redirect permanent / https://salonkristina.hr/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

If you have instagram go to @salonljepotekristina and try to open website. http://salonkristina.hr it will open without a problem, but http://www.salonkristina.hr how it’s now entered it won’t.

1 Like
27

It fails to be secure because the cert at the site for the first name is from the second name - the cert name used doesn’t match the site name in the URL.

Please close and reopen your browser (may be a caching problem).
Also restart the web server.
and also show:
certbot certificates

1 Like
28

I made apache2 restart, I even turn off and on my mobile phone, removed all my apps from stack, and always access the page from incognito.

And this is the result:

/etc/apache2/sites-enabled# certbot certificates

Found the following certs:
  Certificate Name: prominenthair.hr-0001
    Domains: prominenthair.hr
    Expiry Date: 2020-07-26 02:18:37+00:00 (VALID: 78 days)
    Certificate Path: /etc/letsencrypt/live/prominenthair.hr-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/prominenthair.hr-0001/privkey.pem
  Certificate Name: prominenthair.hr
    Domains: prominenthair.hr www.prominenthair.hr
    Expiry Date: 2020-07-06 20:04:35+00:00 (VALID: 59 days)
    Certificate Path: /etc/letsencrypt/live/prominenthair.hr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/prominenthair.hr/privkey.pem
  Certificate Name: salonkristina.hr
    Domains: salonkristina.hr
    Expiry Date: 2020-08-05 17:03:41+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/salonkristina.hr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/salonkristina.hr/privkey.pem
  Certificate Name: www.prominenthair.hr
    Domains: www.prominenthair.hr
    Expiry Date: 2020-07-26 12:42:44+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/www.prominenthair.hr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.prominenthair.hr/privkey.pem
1 Like
29

OK I see the problem.

Cert 1: Domains: prominenthair.hr
Cert 2: Domains: prominenthair.hr www.prominenthair.hr
Cert 3: Domains: salonkristina.hr
Cert 4: Domains: www.prominenthair.hr

There is no single cert to serve both names:
Domains: salonkristina.hr
Domains: www.prominenthair.hr

You need to get a new cert (for that) and then delete the ones you don’t need.

Cert #2 is good
Certs #1, #3, #4 are not so good (for your combined use)

2 Likes
30

Yes, you are right. I am going to fiy that now.

Would you recommend deleting Cert #1 and $4?

1 Like
31

Yes, but only after you get the new cert with both names on it.

Actuallly #1 and #4 can be deleted now.

1 Like
32

Actually, actually, this has to be changed to the one your keeping:

Use instead (use #2 instead of #4):

SSLCertificateFile /etc/letsencrypt/live/prominenthair.hr/cert.pem 
SSLCertificateKeyFile /etc/letsencrypt/live/prominenthair.hr/privkey.pem 
SSLCertificateChainFile /etc/letsencrypt/live/prominenthair.hr/chain.pem
1 Like
33

Ok, this is what I’ve got, salonkristina.hr works perfect now:

Found the following certs:
  Certificate Name: prominenthair.hr-0001
    Domains: prominenthair.hr
    Expiry Date: 2020-07-26 02:18:37+00:00 (VALID: 78 days)
    Certificate Path: /etc/letsencrypt/live/prominenthair.hr-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/prominenthair.hr-0001/privkey.pem
  Certificate Name: prominenthair.hr
    Domains: prominenthair.hr www.prominenthair.hr
    Expiry Date: 2020-07-06 20:04:35+00:00 (VALID: 59 days)
    Certificate Path: /etc/letsencrypt/live/prominenthair.hr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/prominenthair.hr/privkey.pem
  Certificate Name: salonkristina.hr
    Domains: salonkristina.hr www.salonkristina.hr
    Expiry Date: 2020-08-06 11:36:28+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/salonkristina.hr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/salonkristina.hr/privkey.pem
  Certificate Name: www.prominenthair.hr
    Domains: www.prominenthair.hr
    Expiry Date: 2020-07-26 12:42:44+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/www.prominenthair.hr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.prominenthair.hr/privkey.pem

Can you explain me how to properly delete certificates #1 and #4?
I found this command:
sudo certbot delete --cert-name example.com

Should I enter:
sudo certbot delete --cert-name prominenthair.hr-0001

Also, should I after that remove the directory releated to the certificate?

1 Like
34

Ok, now I’m finished:

Found the following certs:
  Certificate Name: prominenthair.hr
    Domains: prominenthair.hr www.prominenthair.hr
    Expiry Date: 2020-07-06 20:04:35+00:00 (VALID: 59 days)
    Certificate Path: /etc/letsencrypt/live/prominenthair.hr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/prominenthair.hr/privkey.pem
  Certificate Name: salonkristina.hr
    Domains: salonkristina.hr www.salonkristina.hr
    Expiry Date: 2020-08-06 11:36:28+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/salonkristina.hr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/salonkristina.hr/privkey.pem

Do you know why when I open this link with the IP address it says the certificate is not valid:
https://178.62.219.173/phpmyadmin

And the last question:
How do I know with the current properties that my certificates will automatically renew after expiration?

1 Like
35

Hi @morlovac

that's expected.

Your certificate doesn't have an ip address as domain name, so the name doesn't match.

1 Like
36

Ok. Does is represent a security threat or should I do any changes about it?

1 Like
37

Yes that is the "cert name"

1 Like
38

Yes, it is vulnerable to a MiTM type attacks and spying.
You should always use names and certs that are signed by a trusted CA.

1 Like
39

Ok.
Should I create a certificate especially for the ip address like I did for the domains? Or how to approach this?

40

You can’t get a cert for an IP from LE.
You should use a named cert instead.

1 Like