Two Domains, One IP - Second Domain Redirects to First Domain

Just started working with Certbot today on a Centos 6.9 server (Godaddy VPS).

The server by default has all the virtualhost directives within the main httpd.conf file, so automatic setup failed. After moving some (not done them all yet: server has dozens of domains) the virtulhost content to separate conf files (example: wwgaming.com.conf) I was able to get SSL to work with one domain.

http://www.wwgaming.com/ - during Certbot setup selected redirect so redirects to the https version.
https://www.wwgaming.com/

So that's working.

Next step was to try to use the same setup for a second domain on the same IP address.

http://morearnings.com/
https://morearnings.com/

At first ran through the same setup ./certbot-auto --apache and selected all the morearnings.com sub domains and the relevant files were created but the test at SSL Server Test: morearnings.com (Powered by Qualys SSL Labs) reported "Certificate name mismatch".

http was working as before, https still didn't work.

Next tried to use one certificate for the two domains.

Ran ./certbot-auto --apache again, but this time selected all the morearnings sub-domains and the wwgaming.com sub-domains and opted to renew the certificate (done this once, so have 4 more renews left this week). Below is the output cut down a little.

/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
...
97: morearnings.com
98: admin.morearnings.com
99: webmail.morearnings.com
100: www.morearnings.com
...
128: wwgaming.com
129: www.wwgaming.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 97,98,99,100,128,129
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/wwgaming.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
/root/.local/share/letsencrypt/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
tls-sni-01 challenge for wwgaming.com
tls-sni-01 challenge for morearnings.com
tls-sni-01 challenge for admin.morearnings.com
tls-sni-01 challenge for webmail.morearnings.com
tls-sni-01 challenge for www.morearnings.com
tls-sni-01 challenge for www.wwgaming.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate for wwgaming.com to VirtualHost /etc/httpd/conf.d/wwgaming.com-le-ssl.conf
Deploying Certificate for morearnings.com to VirtualHost /etc/httpd/conf.d/morearnings.com-le-ssl.conf
Deploying Certificate for admin.morearnings.com to VirtualHost /etc/httpd/conf.d/morearnings.com-le-ssl.conf
Deploying Certificate for webmail.morearnings.com to VirtualHost /etc/httpd/conf.d/morearnings.com-le-ssl.conf
Deploying Certificate for www.morearnings.com to VirtualHost /etc/httpd/conf.d/morearnings.com-le-ssl.conf
Deploying Certificate for www.wwgaming.com to VirtualHost /etc/httpd/conf.d/wwgaming.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://wwgaming.com,
https://morearnings.com, https://admin.morearnings.com,
https://webmail.morearnings.com, https://www.morearnings.com, and
https://www.wwgaming.com

You should test your configuration at:
SSL Server Test (Powered by Qualys SSL Labs)
SSL Server Test: morearnings.com (Powered by Qualys SSL Labs)
SSL Server Test: admin.morearnings.com (Powered by Qualys SSL Labs)
SSL Server Test (Powered by Qualys SSL Labs)
SSL Server Test (Powered by Qualys SSL Labs)
SSL Server Test: www.wwgaming.com (Powered by Qualys SSL Labs)

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/wwgaming.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/wwgaming.com/privkey.pem
  Your cert will expire on 2017-11-03. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot-auto
  again with the "certonly" option. To non-interactively renew all
  of your certificates, run "certbot-auto renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
  Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

http://www.wwgaming.com/ and https://www.wwgaming.com/ work as expected

http://morearnings.com/ and https://morearnings.com/ are not working as expected. http works, but https redirects to https://www.wwgaming.com/

Contents of /etc/httpd/conf.d/wwgaming.com.conf

<VirtualHost 166.62.84.189:80>
SuexecUserGroup "#yyy" "#yyy"
ServerName wwgaming.com
ServerAlias www.wwgaming.com
DocumentRoot /home/yyy/public_html
ErrorLog /var/log/virtualmin/wwgaming.com_error_log
CustomLog /var/log/virtualmin/wwgaming.com_access_log combined
ScriptAlias /cgi-bin/ /home/yyy/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/yyy/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksifOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Action application/x-httpd-php5 /cgi-bin/php5.cgi
Action application/x-httpd-php5.6 /cgi-bin/php5.6.cgi
AddType application/x-httpd-php5 .php5
AddType application/x-httpd-php5.6 .php5.6
AddType application/x-httpd-php5.6 .php
</Directory>
<Directory /home/yyy/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
Alias /pipermail /var/lib/mailman/archives/public
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.6
php_admin_value engine Off
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.wwgaming.com [OR]
RewriteCond %{SERVER_NAME} =wwgaming.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=permanent]
</VirtualHost>

Contents of /etc/httpd/conf.d/wwgaming.com-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost 166.62.84.189:443>
SuexecUserGroup "#yyy" "#yyy"
ServerName wwgaming.com
ServerAlias www.wwgaming.com
DocumentRoot /home/yyy/public_html
ErrorLog /var/log/virtualmin/wwgaming.com_error_log
CustomLog /var/log/virtualmin/wwgaming.com_access_log combined
ScriptAlias /cgi-bin/ /home/yyy/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/yyy/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksifOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Action application/x-httpd-php5 /cgi-bin/php5.cgi
Action application/x-httpd-php5.6 /cgi-bin/php5.6.cgi
AddType application/x-httpd-php5 .php5
AddType application/x-httpd-php5.6 .php5.6
AddType application/x-httpd-php5.6 .php
</Directory>
<Directory /home/yyy/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
Alias /pipermail /var/lib/mailman/archives/public
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.6
php_admin_value engine Off
SSLCertificateFile /etc/letsencrypt/live/wwgaming.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wwgaming.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/wwgaming.com/chain.pem
</VirtualHost>
</IfModule>

Contents of /etc/httpd/conf.d/morearnings.com-le-ssl.conf

<VirtualHost 166.62.84.189:80>
SuexecUserGroup "#xxx" "#xxx"
ServerName morearnings.com
ServerAlias www.morearnings.com
ServerAlias webmail.morearnings.com
ServerAlias admin.morearnings.com
ServerAlias *.morearnings.com
DocumentRoot /home/xxx/public_html
ErrorLog /var/log/virtualmin/morearnings.com_error_log
CustomLog /var/log/virtualmin/morearnings.com_access_log combined
ScriptAlias /cgi-bin/ /home/xxx/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/xxx/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php5.6
FCGIWrapper /home/xxx/fcgi-bin/php5.6.fcgi .php
FCGIWrapper /home/xxx/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/xxx/fcgi-bin/php5.6.fcgi .php5.6
</Directory>
<Directory /home/xxx/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.morearnings.com
RewriteRule ^(.*) https://morearnings.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.morearnings.com
RewriteRule ^(.*) https://morearnings.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.6
php_admin_value engine Off
FcgidMaxRequestLen 1073741824
IPCCommTimeout 31
</VirtualHost>

Contents of /etc/httpd/conf.d/morearnings.com-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost 166.62.84.189:443>
SuexecUserGroup "#xxxx" "#xxxx"
ServerName morearnings.com
ServerAlias www.morearnings.com
ServerAlias webmail.morearnings.com
ServerAlias admin.morearnings.com
ServerAlias *.morearnings.com
DocumentRoot /home/xxx/public_html
ErrorLog /var/log/virtualmin/morearnings.com_error_log
CustomLog /var/log/virtualmin/morearnings.com_access_log combined
ScriptAlias /cgi-bin/ /home/xxx/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/xxx/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php5.6
FCGIWrapper /home/xxx/fcgi-bin/php5.6.fcgi .php
FCGIWrapper /home/xxx/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/xxx/fcgi-bin/php5.6.fcgi .php5.6
</Directory>
<Directory /home/xxx/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{HTTP_HOST} =webmail.morearnings.com
# RewriteRule ^(.*) https://morearnings.com:20000/ [R]
# RewriteCond %{HTTP_HOST} =admin.morearnings.com
# RewriteRule ^(.*) https://morearnings.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.6
php_admin_value engine Off
FcgidMaxRequestLen 1073741824
IPCCommTimeout 31
SSLCertificateFile /etc/letsencrypt/live/wwgaming.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wwgaming.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/wwgaming.com/chain.pem
</VirtualHost>
</IfModule>

The morearnings .htaccess file is the standard WordPress .htaccess file, so nothing within it that could cause an issue.

I've tried different setups multiple times and under /etc/letsencrpt/live/ have 4 folders

morearnings.com
wwgaming.com
wwgaming.com-0001
wwgaming.com-0002

As you can see from the two "/etc/httpd/conf.d/######.com-le-ssl.conf" files the 0001 and 0002 files aren't used.

Any idea where I went wrong?

Not sure the output below is any use, based on Correct approach for multiple domains - one cert or several? - #2 by sahsanu

grep -ri VirtualHost *

install.sh:     sed -i -e "s/NameVirtualHost \*:80/NameVirtualHost $address:80/" $vhostsconf
install.sh:     sed -i -e "s/VirtualHost \*:80/VirtualHost $address:80/" $vhostsconf

grep -ri NameVirtualHost *

install.sh: sed -i -e "s/NameVirtualHost \*:80/NameVirtualHost $address:80/" $vhostsconf

In httpd.conf should I add

NameVirtualHost *:80
NameVirtualHost *:443

Is so, would those replace these?

NameVirtualHost 166.62.84.189:80
NameVirtualHost 166.62.84.189:443

Thanks

David

Please show the contents of:
/etc/apache2/sites-enabled
and
/etc/letsencrypt/options-ssl-apache.conf

Centos 6.9 doesn’t use sites-enabled by default (that’s Debian?), Centos doesn’t have /etc/apache2/, uses /etc/httpd/.

What info were you after?

Contents of /etc/letsencrypt/options-ssl-apache.conf with commented out code removed.

`SSLEngine on

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-truncated… not sure what it is, but wasn’t happy posting on a public forum…
SSLHonorCipherOrder on

SSLOptions +StrictRequire

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common`

Thanks.

David

I think the issue might be related to WordPress multi-site (the morearnings site that’s not working is standard WordPress multisite) as tested with a third domain https://www.ultimate100.net/ (non-multisite WordPress) and it’s working.

Weirdly it’s totally messed up another domain on the server that’s a Domain Mapped WordPress multisite install: domain mapped installs allows multiple domains to be run from one WordPress install, the domain in question has a couple of dozen domains mapped to it and they are all redirecting to morearnings.com.

For example theater-reviews.co.uk redirects to http://morearnings.com/wp-signup.php?new=theater-reviews.co.uk. It shouldn’t do that, it should map to a sub-domain theater-reviews.virtual-light.com which redirects to the correct domain.

Probably not much you guys can help with on this one as quite a complex setup, will delete the SSL stuff for morearnings and see what happens

Might delete all the certificates etc… and start again.

David

Servers are stupid!

The weird redirect was caused by moving the virtualhosts directives to separate config files.

The domain mapped domain has to be set as the default domain on the server for the IP used and apparently moving it’s virtualhost directives to it’s own *.conf file meant another domain (the first domain with virtualhost directives in httpd.conf) became the default domain!!!

So not a certbot issue.

The default domain thing is annoying since I couldn’t get certbot to run without moving the directives to separate conf files.

Looks like I can easily set up SSL certs for domains not involved in WordPress domain mapping or which have a WordPress multisite install.

Now I have a couple of dozen domain mapped domains pointing to the wrong domain and have to wait for the DNS to re-propagate before it’s fixed and can try again adding SSL certs.

David

By the way, the Let's Encrypt CA doesn't have the same concept of DNS propagation that browsers do because it always goes directly to the authoritative DNS server and doesn't use resolver caches. DNS propagation is usually about the way that intermediate DNS servers are allowed to retain old records for the time-to-live of those records rather than rechecking an authoritative server. But Let's Encrypt checks directly with the authoritative server every time.

However, your browser might still be using old records so you might not be able to check in the browser whether the process worked, unless you overrode the DNS results by editing a hosts file.

Quick question before explaining an issue others might run into.

I’ve moved all the virtualhost directives from the httpd.conf file to conf files under /etc/httpd/conf.d/. A few of the domains have sub-domains including self-hosted CDN’s. For example one of my sites has 10 sub-domains, currently have the main domain and the sub-domains virtualhost directives all in one conf file. Should I create a relevant conf file for each sub-domain or can I keep them all together?

After I know the above can take another crack at creating SSL certs.

Why everything went wrong and how I fixed it

Turned out not to be a DNS propagation issue, I appear to have stumbled upon a weird bug (not with Certbot)! Not sure if it’s a Centos 6.9 bug or a Virtualmin (control panel I use) bug.

As I moved virtualhost directives from the httpd.conf file (all the virtualhost directives were in that file by default)-

/etc/httpd/conf/httpd.conf

to individual conf files in

/etc/httpd/conf.d/*.tld.conf

The first conf file found in /etc/httpd/conf.d/ was being used as the domain to map my domain mapped WordPress installs! So a couple of dozen domains were mapping to the wrong domain.

Didn’t realize the cause until I’d moved all but one of the virtualhost directives to an individual file.

Fixed it by moving the main domain mapped domains virtualhosts directives whilst making sure it was the first conf file (alphabetically) by naming it:

/etc/httpd/conf.d/0virtual-light.com.conf

In summary… this is a really weird bug and a bit of an edge case.

If others have a Centos 6 server where a specific domain has to be the main domain for an IP (like I have because a domain is domain mapping a couple of dozen domains to one WordPress install) you have to move ALL the virtualhost directives from httpd.conf (you can’t leave any within that file) to conf files within /etc/httpd/conf.d/*.tld.conf making sure the main domains virtualhost directives are within the first conf file.

If you have a lot of domain you could move most of the virtualhost directives to one file like /etc/httpd/conf.d/virtualhosts.conf and create single conf files for those you want to create SSL certs for.

Thanks.

David

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.