Unable to cover www with certbot

I run the following two small sites on a Pi server at home:

https://incoherent.xyz
https://vixen.international

The first domain is dandy. The second domain, however, seems problematic. I cannot produce a certificate that covers both https://vixen.international and https://www.vixen.international. Where the first site has a certificate that covers www, the second can only produce one or the other - no matter what I do. Producing a certificate that includes www appears to overwrite the certificate without a prefix.

I am using Certbot (python-certbot-apache) to generate certificates automatically. Is there an option I can throw in to generate a certificate that covers “*.vixen.international” as well as the root domain? sudo certbot --apache appears to only be able to to this for one site.

Interestingly, there is no erroneous output. The certificate appears to generate within certbot, and the only indication of an issue is upon navigation to the site itself. For the time being I am using redirection to eliminate www, but this is a messy workaround and will fail once I add subdomains to the site.

1 Like

Hi @r0tekatze

checking your domain the basics are ok - https://check-your-website.server-daten.de/?q=vixen.international

Both domains have the same ip address.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
vixen.international A 31.132.33.9 Oxted/England/United Kingdom (GB) - Origin Broadband Limited No Hostname found yes 1 0
AAAA yes
www.vixen.international A 31.132.33.9 Oxted/England/United Kingdom (GB) - Origin Broadband Limited No Hostname found yes 1 0
AAAA yes

And you have created some certificates:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-11-17 2020-02-15 vixen.international - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2019-11-17 2020-02-15 www.vixen.international - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-11-17 2020-02-15 vixen.international - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-11-17 2020-02-15 incoherent.xyz, vixen.international, www.incoherent.xyz, www.vixen.international - 4 entries duplic

But not that one you need.

It's an Apache. What says

apachectl -S
1 Like

The output is as follows:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server incoherent.xyz (/etc/apache2/sites-enabled/incoherent.xyz-le-ssl.conf:2)
         port 443 namevhost incoherent.xyz (/etc/apache2/sites-enabled/incoherent.xyz-le-ssl.conf:2)
                 alias www.incoherent.xyz
         port 443 namevhost vixen.international (/etc/apache2/sites-enabled/vixen.international-le-ssl.conf:2)
                 alias www.vixen.international
*:80                   is a NameVirtualHost
         default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost incoherent.xyz (/etc/apache2/sites-enabled/incoherent.xyz.conf:1)
                 alias www.incoherent.xyz
         port 80 namevhost vixen.international (/etc/apache2/sites-enabled/vixen.international.conf:1)
                 alias www.vixen.international
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Note that initially, when I generated that multi-domain cert, I couldn’t get HTTPS redirection working properly on the vixen domain. I’m actually having some issues getting it to redirect now, although I’ve only just learned that certbot creates an additional conf for the ssl implementation.

1 Like

That's

good. One port 80 vHost with both domain names.

Then try

certbot --apache -d vixen.international -d www.vixen.international
2 Likes

That worked, thanks!

What does -d imply? Include the specified domain in the certificate, or something to that effect?

3 Likes

-d is a shortcut for domain. So you can list all domains you want to have in one certificate.

1 Like

Huh. So is it more likely that certbot just didn’t recognise the two separate domains first time around? Also, will auto-renewal have been set up this time around?

1 Like

I don't know which command you have used.

The result is saved in your config file. So it should work. Later, you may delete your certificates with one domain name, because you don't need these (and you don't need a renew).

certbot certificates, then certbot delete certificatename.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.