Unable to cover www with certbot

r0tekatze · November 17, 2019, 7:53pm

I run the following two small sites on a Pi server at home:

https://incoherent.xyz
https://vixen.international

The first domain is dandy. The second domain, however, seems problematic. I cannot produce a certificate that covers both https://vixen.international and https://www.vixen.international. Where the first site has a certificate that covers www, the second can only produce one or the other - no matter what I do. Producing a certificate that includes www appears to overwrite the certificate without a prefix.

I am using Certbot (python-certbot-apache) to generate certificates automatically. Is there an option I can throw in to generate a certificate that covers “*.vixen.international” as well as the root domain? sudo certbot --apache appears to only be able to to this for one site.

Interestingly, there is no erroneous output. The certificate appears to generate within certbot, and the only indication of an issue is upon navigation to the site itself. For the time being I am using redirection to eliminate www, but this is a messy workaround and will fail once I add subdomains to the site.

JuergenAuer · November 17, 2019, 7:57pm

Hi @r0tekatze

checking your domain the basics are ok - https://check-your-website.server-daten.de/?q=vixen.international

Both domains have the same ip address.

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
vixen.international	A	31.132.33.9 Oxted/England/United Kingdom (GB) - Origin Broadband Limited No Hostname found	yes	1	0
	AAAA		yes
www.vixen.international	A	31.132.33.9 Oxted/England/United Kingdom (GB) - Origin Broadband Limited No Hostname found	yes	1	0
	AAAA		yes

And you have created some certificates:

Issuer	not before	not after	Domain names	LE-Duplicate
Let's Encrypt Authority X3	2019-11-17	2020-02-15	vixen.international - 1 entries	duplicate nr. 2
Let's Encrypt Authority X3	2019-11-17	2020-02-15	www.vixen.international - 1 entries	duplicate nr. 1
Let's Encrypt Authority X3	2019-11-17	2020-02-15	vixen.international - 1 entries	duplicate nr. 1
Let's Encrypt Authority X3	2019-11-17	2020-02-15	incoherent.xyz, vixen.international, www.incoherent.xyz, www.vixen.international - 4 entries	duplic

But not that one you need.

It's an Apache. What says

apachectl -S

r0tekatze · November 17, 2019, 8:18pm

The output is as follows:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server incoherent.xyz (/etc/apache2/sites-enabled/incoherent.xyz-le-ssl.conf:2)
         port 443 namevhost incoherent.xyz (/etc/apache2/sites-enabled/incoherent.xyz-le-ssl.conf:2)
                 alias www.incoherent.xyz
         port 443 namevhost vixen.international (/etc/apache2/sites-enabled/vixen.international-le-ssl.conf:2)
                 alias www.vixen.international
*:80                   is a NameVirtualHost
         default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost incoherent.xyz (/etc/apache2/sites-enabled/incoherent.xyz.conf:1)
                 alias www.incoherent.xyz
         port 80 namevhost vixen.international (/etc/apache2/sites-enabled/vixen.international.conf:1)
                 alias www.vixen.international
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Note that initially, when I generated that multi-domain cert, I couldn’t get HTTPS redirection working properly on the vixen domain. I’m actually having some issues getting it to redirect now, although I’ve only just learned that certbot creates an additional conf for the ssl implementation.

JuergenAuer · November 17, 2019, 8:20pm

That's

good. One port 80 vHost with both domain names.

Then try

certbot --apache -d vixen.international -d www.vixen.international

r0tekatze · November 17, 2019, 8:24pm

That worked, thanks!

What does -d imply? Include the specified domain in the certificate, or something to that effect?

JuergenAuer · November 17, 2019, 8:27pm

-d is a shortcut for domain. So you can list all domains you want to have in one certificate.

r0tekatze · November 17, 2019, 8:33pm

Huh. So is it more likely that certbot just didn’t recognise the two separate domains first time around? Also, will auto-renewal have been set up this time around?

JuergenAuer · November 17, 2019, 8:50pm

I don't know which command you have used.

The result is saved in your config file. So it should work. Later, you may delete your certificates with one domain name, because you don't need these (and you don't need a renew).

certbot certificates, then certbot delete certificatename.

system · December 17, 2019, 8:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.