Just started working with Certbot today on a Centos 6.9 server (Godaddy VPS).
The server by default has all the virtualhost directives within the main httpd.conf file, so automatic setup failed. After moving some (not done them all yet: server has dozens of domains) the virtulhost content to separate conf files (example: wwgaming.com.conf) I was able to get SSL to work with one domain.
http://www.wwgaming.com/ - during Certbot setup selected redirect so redirects to the https version.
https://www.wwgaming.com/
So that's working.
Next step was to try to use the same setup for a second domain on the same IP address.
http://morearnings.com/
https://morearnings.com/
At first ran through the same setup ./certbot-auto --apache
and selected all the morearnings.com sub domains and the relevant files were created but the test at SSL Server Test: morearnings.com (Powered by Qualys SSL Labs) reported "Certificate name mismatch".
http was working as before, https still didn't work.
Next tried to use one certificate for the two domains.
Ran ./certbot-auto --apache
again, but this time selected all the morearnings sub-domains and the wwgaming.com sub-domains and opted to renew the certificate (done this once, so have 4 more renews left this week). Below is the output cut down a little.
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.logWhich names would you like to activate HTTPS for?
...
97: morearnings.com
98: admin.morearnings.com
99: webmail.morearnings.com
100: www.morearnings.com
...
128: wwgaming.com
129: www.wwgaming.comSelect the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 97,98,99,100,128,129
Cert not yet due for renewalYou have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/wwgaming.com.conf)What would you like to do?
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
/root/.local/share/letsencrypt/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
tls-sni-01 challenge for wwgaming.com
tls-sni-01 challenge for morearnings.com
tls-sni-01 challenge for admin.morearnings.com
tls-sni-01 challenge for webmail.morearnings.com
tls-sni-01 challenge for www.morearnings.com
tls-sni-01 challenge for www.wwgaming.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate for wwgaming.com to VirtualHost /etc/httpd/conf.d/wwgaming.com-le-ssl.conf
Deploying Certificate for morearnings.com to VirtualHost /etc/httpd/conf.d/morearnings.com-le-ssl.conf
Deploying Certificate for admin.morearnings.com to VirtualHost /etc/httpd/conf.d/morearnings.com-le-ssl.conf
Deploying Certificate for webmail.morearnings.com to VirtualHost /etc/httpd/conf.d/morearnings.com-le-ssl.conf
Deploying Certificate for www.morearnings.com to VirtualHost /etc/httpd/conf.d/morearnings.com-le-ssl.conf
Deploying Certificate for www.wwgaming.com to VirtualHost /etc/httpd/conf.d/wwgaming.com-le-ssl.confPlease choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Your existing certificate has been successfully renewed, and the new certificate
has been installed.The new certificate covers the following domains: https://wwgaming.com,
https://morearnings.com, https://admin.morearnings.com,
https://webmail.morearnings.com, https://www.morearnings.com, and
https://www.wwgaming.comYou should test your configuration at:
SSL Server Test (Powered by Qualys SSL Labs)
SSL Server Test: morearnings.com (Powered by Qualys SSL Labs)
SSL Server Test: admin.morearnings.com (Powered by Qualys SSL Labs)
SSL Server Test (Powered by Qualys SSL Labs)
SSL Server Test (Powered by Qualys SSL Labs)
SSL Server Test: www.wwgaming.com (Powered by Qualys SSL Labs)IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/wwgaming.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/wwgaming.com/privkey.pem
Your cert will expire on 2017-11-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew all
of your certificates, run "certbot-auto renew"If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation
http://www.wwgaming.com/ and https://www.wwgaming.com/ work as expected
http://morearnings.com/ and https://morearnings.com/ are not working as expected. http works, but https redirects to https://www.wwgaming.com/
Contents of /etc/httpd/conf.d/wwgaming.com.conf
<VirtualHost 166.62.84.189:80>
SuexecUserGroup "#yyy" "#yyy"
ServerName wwgaming.com
ServerAlias www.wwgaming.com
DocumentRoot /home/yyy/public_html
ErrorLog /var/log/virtualmin/wwgaming.com_error_log
CustomLog /var/log/virtualmin/wwgaming.com_access_log combined
ScriptAlias /cgi-bin/ /home/yyy/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/yyy/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksifOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Action application/x-httpd-php5 /cgi-bin/php5.cgi
Action application/x-httpd-php5.6 /cgi-bin/php5.6.cgi
AddType application/x-httpd-php5 .php5
AddType application/x-httpd-php5.6 .php5.6
AddType application/x-httpd-php5.6 .php
</Directory>
<Directory /home/yyy/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
Alias /pipermail /var/lib/mailman/archives/public
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.6
php_admin_value engine Off
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.wwgaming.com [OR]
RewriteCond %{SERVER_NAME} =wwgaming.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=permanent]
</VirtualHost>
Contents of /etc/httpd/conf.d/wwgaming.com-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost 166.62.84.189:443>
SuexecUserGroup "#yyy" "#yyy"
ServerName wwgaming.com
ServerAlias www.wwgaming.com
DocumentRoot /home/yyy/public_html
ErrorLog /var/log/virtualmin/wwgaming.com_error_log
CustomLog /var/log/virtualmin/wwgaming.com_access_log combined
ScriptAlias /cgi-bin/ /home/yyy/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/yyy/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksifOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Action application/x-httpd-php5 /cgi-bin/php5.cgi
Action application/x-httpd-php5.6 /cgi-bin/php5.6.cgi
AddType application/x-httpd-php5 .php5
AddType application/x-httpd-php5.6 .php5.6
AddType application/x-httpd-php5.6 .php
</Directory>
<Directory /home/yyy/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
Alias /pipermail /var/lib/mailman/archives/public
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.6
php_admin_value engine Off
SSLCertificateFile /etc/letsencrypt/live/wwgaming.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wwgaming.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/wwgaming.com/chain.pem
</VirtualHost>
</IfModule>
Contents of /etc/httpd/conf.d/morearnings.com-le-ssl.conf
<VirtualHost 166.62.84.189:80>
SuexecUserGroup "#xxx" "#xxx"
ServerName morearnings.com
ServerAlias www.morearnings.com
ServerAlias webmail.morearnings.com
ServerAlias admin.morearnings.com
ServerAlias *.morearnings.com
DocumentRoot /home/xxx/public_html
ErrorLog /var/log/virtualmin/morearnings.com_error_log
CustomLog /var/log/virtualmin/morearnings.com_access_log combined
ScriptAlias /cgi-bin/ /home/xxx/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/xxx/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php5.6
FCGIWrapper /home/xxx/fcgi-bin/php5.6.fcgi .php
FCGIWrapper /home/xxx/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/xxx/fcgi-bin/php5.6.fcgi .php5.6
</Directory>
<Directory /home/xxx/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.morearnings.com
RewriteRule ^(.*) https://morearnings.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.morearnings.com
RewriteRule ^(.*) https://morearnings.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.6
php_admin_value engine Off
FcgidMaxRequestLen 1073741824
IPCCommTimeout 31
</VirtualHost>
Contents of /etc/httpd/conf.d/morearnings.com-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost 166.62.84.189:443>
SuexecUserGroup "#xxxx" "#xxxx"
ServerName morearnings.com
ServerAlias www.morearnings.com
ServerAlias webmail.morearnings.com
ServerAlias admin.morearnings.com
ServerAlias *.morearnings.com
DocumentRoot /home/xxx/public_html
ErrorLog /var/log/virtualmin/morearnings.com_error_log
CustomLog /var/log/virtualmin/morearnings.com_access_log combined
ScriptAlias /cgi-bin/ /home/xxx/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/xxx/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php5.6
FCGIWrapper /home/xxx/fcgi-bin/php5.6.fcgi .php
FCGIWrapper /home/xxx/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/xxx/fcgi-bin/php5.6.fcgi .php5.6
</Directory>
<Directory /home/xxx/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
# RewriteCond %{HTTP_HOST} =webmail.morearnings.com
# RewriteRule ^(.*) https://morearnings.com:20000/ [R]
# RewriteCond %{HTTP_HOST} =admin.morearnings.com
# RewriteRule ^(.*) https://morearnings.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.6
php_admin_value engine Off
FcgidMaxRequestLen 1073741824
IPCCommTimeout 31
SSLCertificateFile /etc/letsencrypt/live/wwgaming.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wwgaming.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/wwgaming.com/chain.pem
</VirtualHost>
</IfModule>
The morearnings .htaccess file is the standard WordPress .htaccess file, so nothing within it that could cause an issue.
I've tried different setups multiple times and under /etc/letsencrpt/live/ have 4 folders
morearnings.com
wwgaming.com
wwgaming.com-0001
wwgaming.com-0002
As you can see from the two "/etc/httpd/conf.d/######.com-le-ssl.conf
" files the 0001 and 0002 files aren't used.
Any idea where I went wrong?
Not sure the output below is any use, based on Correct approach for multiple domains - one cert or several? - #2 by sahsanu
grep -ri VirtualHost *
install.sh: sed -i -e "s/NameVirtualHost \*:80/NameVirtualHost $address:80/" $vhostsconf
install.sh: sed -i -e "s/VirtualHost \*:80/VirtualHost $address:80/" $vhostsconf
grep -ri NameVirtualHost *
install.sh: sed -i -e "s/NameVirtualHost \*:80/NameVirtualHost $address:80/" $vhostsconf
In httpd.conf should I add
NameVirtualHost *:80
NameVirtualHost *:443
Is so, would those replace these?
NameVirtualHost 166.62.84.189:80
NameVirtualHost 166.62.84.189:443
Thanks
David