Two domains same server certificate good on one but not the other

robgraves · June 3, 2019, 11:23pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.matthewjpage.com, www.spoonbomb.com

I ran this command: sudo certbot --apache

It produced this output:
``Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 5 6
Attempting to parse the version 0.34.2 renewal configuration file found at /etc/letsencrypt/renewal/matthewjpage.com.conf with version 0.28.0 of Certbot. This might not work.
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for spoonbomb.com
http-01 challenge for www.spoonbomb.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.spoonbomb.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.spoonbomb.com/.well-known/acme-challenge/zQ7chE4HjR__c3oMuaLjHjnuPAqaCZV02XTueNawIRM [162.243.201.127]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.spoonbomb.com
Type: unauthorized
Detail: Invalid response from
http://www.spoonbomb.com/.well-known/acme-challenge/zQ7chE4HjR__c3oMuaLjHjnuPAqaCZV02XTueNawIRM
[162.243.201.127]: “\n\n404 Not
Found\n\n

Not Found
\n<p”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
robgraves@www ~ $

My web server is (include version): Apache/2.4.25

The operating system my web server runs on is (include version): Debian 9.9 Stretch

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot version 0.28.0

So I have a digital ocean droplet that is running Debian and has Apache running with virtual hosts set up to host my two domain names: www.matthewjpage.com and www.spoonbomb.com . I discovered this site and decided to get a certificate for both of my sites with the certbot. Through running certbot I WAS able to get www.matthewjpage.com’s certificate to work and it loads with the https:// and the lock icon, but my other domain spoonbomb.com has repeatedly failed with the error message above .

Does anybody have any ideas as to what I’m missing? Thanks

mnordhoff · June 4, 2019, 1:52am

Did you know that http://www.spoonbomb.com/ itself is an Apache “it works!” page, instead of the Spoon Bomb website?

(https://www.spoonbomb.com/ is the right website, but with a self-signed certificate.)

Can you post “sudo apachectl -t -D DUMP_VHOSTS”?

If there are multiple overlapping virtual hosts, sometimes Certbot will apply the validation modifications to one, and then Apache will use a different one.

Certbot 0.31.0 and newer will be more likely to succeed, but you can also just fix the ambiguity in the Apache configuration, if that’s what the issue is.

Were you using certbot-auto before?

robgraves · June 4, 2019, 2:14am

Yeah I noticed too tghat http://www.spoonbomb.com goes to the Apache “it works” page
and https://www.spoonbomb.com goes to the real website

I had actually ran certbot-auto previously before I did a sudo apt-get dist-upgrade to Debian 9.9 Stretch

robgraves@www ~ $ sudo apachectl -t -D DUMP_VHOSTS
[sudo] password for robgraves:
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server www.spoonbomb.com (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost www.spoonbomb.com (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost www.cistclub.com (/etc/apache2/sites-enabled/cistclub.com.conf:1)
                 alias cistclub.com
         port 80 namevhost www.matthewjpage.com (/etc/apache2/sites- 
enabled/matthewjpage.com.conf:1)
                 alias matthewjpage.com
         port 80 namevhost www.spoonbomb.com (/etc/apache2/sites-enabled/spoonbomb.com.conf:1)
                 alias spoonbomb.com
*:443                  is a NameVirtualHost
         default server www.matthewjpage.com (/etc/apache2/sites-enabled/matthewjpage.com-le- 
ssl.conf:2)
         port 443 namevhost www.matthewjpage.com (/etc/apache2/sites-enabled/matthewjpage.com-l 
e-ssl.conf:2)
             alias matthewjpage.com
     port 443 namevhost www.spoonbomb.com (/etc/apache2/sites-enabled/spoonbomb.com-ssl.conf:2)
             alias spoonbomb.com
robgraves@www ~ $

JuergenAuer · June 4, 2019, 6:04am

Hi @robgraves

you have two vHosts with www.spoonbomb.com, that’s bad.

Check both vHosts and remove one. Every combination of port and ServerName should be unique.

robgraves · June 4, 2019, 10:48am

Awesome, thank you, that worked, Thanks so much.

system · July 4, 2019, 10:48am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.