Using multiple domains

I had several postings yesterday detailing my inability to renew my certificate. I was asked a few questions and suggested acme.sh. Acme did not work either and deleted my current certificate.

Now, I am setting up the web site on another server (which has letsencrypt installed). I have added 2 new domains. They show up. But, the server does not respond to a request for https for a new domain.
For instance: https://zend.centerstage.com works but https://tix4.centerstageticketing.com does not work. This is what I get:

[root@ip-172-31-18-163 bruce]# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: zend.centerstage.com
Domains: zend.centerstage.com samantha.centerstage.com
Expiry Date: 2017-12-17 04:00:00+00:00 (VALID: 41 days)
Certificate Path: /etc/letsencrypt/live/zend.centerstage.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/zend.centerstage.com/privkey.pem
Certificate Name: zend.centerstage.com-0001
Domains: zend.centerstage.com tix4.centerstageticketing.com www.tix4.centerstageticketing.com
Expiry Date: 2018-02-03 17:57:24+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/zend.centerstage.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/zend.centerstage.com-0001/privkey.pem

Does anyone have any idea why this is not working and how to fix it?

Bruce

Please clarify this statement and/or what the exact problem is and the command you ran to that failed.

In the meantime…
The site https://tix4.centerstageticketing.com/ serves a cert good for only: www.tix4.centerstageticketing.com
As confirmed by SSLLabs.com and which is not listed by your ./certbot-auto certificates response; which showed two other certs:

  1. Domains: zend.centerstage.com samantha.centerstage.com
  2. Domains: zend.centerstage.com tix4.centerstageticketing.com www.tix4.centerstageticketing.com

The latest stable version of Apache is 2.4.29 (released 2017-10-23) - your system is running 2.4.6.
Not sure if that comes into play, but worth mentioning.

Rudy,

Thank you for the response - especially on a Sunday. This is the command I gave:

./certbot-auto --expand -d zend.centerstage.com -d tix4.centerstageticketing.com -d www.tix4.centerstageticketing.com

What I am trying to do is to have everyone going to tix4.centerstageticketing.com redirected to https://tix4.centerstageticketing.com. The zend.centerstage.com is not as important - but I do need it.

For instance, https://www.tix4.centerstageticketing.com/sierrarep/ works the way I want. However, if I remove the ‘www.’ and simply use https://tix4.centerstageticketing.com/sierrarep/ my customers get, “This site is not secure.”

Do you know how to fix it?

The cert your asking for already exists.
But it is not the one being served.
Try without --expand (defaults to renew which will get new if needed)
If that fails try walking it through once interactively:
--manual

If the certificate was already issued, it may not be helpful to try to get new certificates at all—if you can figure out where the existing certificate might be on the server.

I also don’t think that that’s the default behavior of Certbot (as I recall, --expand contrasts with --duplicate rather than with --force-renewal).

I took a look at what the provider had for the tix4.centerstageticketing.com domain. I found that it was pointed at a cname entry. I deleted it and re-entered it as an IP address. It seems to work now.

I was given this message:

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for tix4.centerstageticketing.com
tls-sni-01 challenge for www.tix4.centerstageticketing.com
tls-sni-01 challenge for zend.centerstage.com

We were unable to find a vhost with a ServerName or Address of tix4.centerstageticketing.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)

1: zendserver_gui.conf | | | Enabled
2: ssl.conf | Multiple Names | HTTPS | Enabled
3: le-redirect-zend.centerstage.c | Multiple Names | | Enabled
4: httpd.conf | | | Enabled

Select the appropriate number [1-4] then [enter] (press ‘c’ to cancel): 4
Waiting for verification…
Cleaning up challenges

We were unable to find a vhost with a ServerName or Address of tix4.centerstageticketing.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)

1: zendserver_gui.conf | | | Enabled
2: ssl.conf | Multiple Names | HTTPS | Enabled
3: le-redirect-zend.centerstage.c | Multiple Names | | Enabled
4: httpd.conf | | | Enabled

Select the appropriate number [1-4] then [enter] (press ‘c’ to cancel): 4
The selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration.
VirtualHost not able to be selected.

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/zend.centerstage.com-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/zend.centerstage.com-0001/privkey.pem
    Your cert will expire on 2018-02-03. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the “certonly” option. To non-interactively renew all
    of your certificates, run “certbot-auto renew”

Does that make any difference to anything?

Bruce

It sounds like you got a new certificate that also covered the names that you wanted. If that makes it work, that’s great!

The CNAME vs. A record shouldn’t affect the behavior either of Certbot or the Let’s Encrypt CA.

However, when I try to visit the site myself, I still see a certificate error.

He moved from one server to another, so who knows where the original cert may be…

I tried the --manual option. Now, I have this:

[root@ip-172-31-18-163 bruce]# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: zend.centerstage.com
Domains: zend.centerstage.com samantha.centerstage.com
Expiry Date: 2017-12-17 04:00:00+00:00 (VALID: 41 days)
Certificate Path: /etc/letsencrypt/live/zend.centerstage.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/zend.centerstage.com/privkey.pem
Certificate Name: zend.centerstage.com-0001
Domains: tix4.centerstageticketing.com www.tix4.centerstageticketing.com zend.centerstage.com
Expiry Date: 2018-02-03 21:36:44+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/zend.centerstage.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/zend.centerstage.com-0001/privkey.pem
Certificate Name: tix4.centerstageticketing.com
Domains: www.tix4.centerstageticketing.com
Expiry Date: 2018-02-03 19:07:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/tix4.centerstageticketing.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tix4.centerstageticketing.com/privkey.pem

Any other ideas?

Here’s an example:
https://tix4.centerstageticketing.com/sites/sierrarep/

This give a message, “connection not secure.”

Because it is NOT (properly) secure.
Try it with the cert it holds (WWW):
https://www.tix4.centerstageticketing.com/sites/sierrarep/

I agree. If the customers would go into the site with ‘www’ it would be fine.

The question is how do I change the certificate so it responds to both www. and without www.

That says it all.
try
grep -ri servername /etc/apache
grep -ri serveralias /etc/apache

(replace /etc/apache with wherever you have your vhost files, if other location)

First you need to get all the vhost files in order.
By that I mean they can’t have any overlapping domains.
Check for use of “wild cards” or same FQDN in multiple vhost configs.

[root@ip-172-31-18-163 /]# grep -ri ‘centerstageticketing.com’ /etc/httpd
/etc/httpd/conf.d/ssl.conf:ServerAlias www.tix4.centerstageticketing.com
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/letsencrypt/live/tix4.centerstageticketing.com/cert.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/tix4.centerstageticketing.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/tix4.centerstageticketing.com/chain.pem
/etc/httpd/conf.d/le-redirect-zend.centerstage.com.conf:ServerAlias www.tix4.centerstageticketing.com samantha.centerstage.com

I also tried grep -ri ‘www.centerstageticketing.com’ /etc/httpd but there was no response

This command gave more of a response:

[root@ip-172-31-18-163 /]# grep -ri ‘centerstageticketing.com’ /etc/
/etc/httpd/conf.d/ssl.conf:ServerAlias www.tix4.centerstageticketing.com
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/letsencrypt/live/tix4.centerstageticketing.com/cert.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/tix4.centerstageticketing.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/tix4.centerstageticketing.com/chain.pem
/etc/httpd/conf.d/le-redirect-zend.centerstage.com.conf:ServerAlias www.tix4.centerstageticketing.com samantha.centerstage.com
/etc/letsencrypt/renewal/tix4.centerstageticketing.com.conf:archive_dir = /etc/letsencrypt/archive/tix4.centerstageticketing.com
/etc/letsencrypt/renewal/tix4.centerstageticketing.com.conf:cert = /etc/letsencrypt/live/tix4.centerstageticketing.com/cert.pem
/etc/letsencrypt/renewal/tix4.centerstageticketing.com.conf:privkey = /etc/letsencrypt/live/tix4.centerstageticketing.com/privkey.pem
/etc/letsencrypt/renewal/tix4.centerstageticketing.com.conf:chain = /etc/letsencrypt/live/tix4.centerstageticketing.com/chain.pem
/etc/letsencrypt/renewal/tix4.centerstageticketing.com.conf:fullchain = /etc/letsencrypt/live/tix4.centerstageticketing.com/fullchain.pem

These two files overlap www.tix4.centerstageticketing.com and are creating the conflict:
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/le-redirect-zend.centerstage.com.conf

Then, I will remove the reference in

/etc/httpd/conf.d/le-redirect-zend.centerstage.com.conf