WAN vs LAN (why can't I see my webpages from LAN?)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jondowd.com

I ran this command: entered jondowd.com in a browser

It produced this output: Your connection is not private

My web server is (include version): Apache/2.4.62 (Debian)

The operating system my web server runs on is (include version): v25.5.1 for Orange Pi 5 running Armbian Linux 6.12.32-current-rockchip64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 4.1.1

Hello, I moved my home webserver off of an older Atom motherboard to a new Single Board Computer, an Orange Pi 5.
I'm running Armbian OS and installed my Certbot certificates using Snap.
(TBH - I don't know how I installed them in the past or what circumstances let me to using Snap).
Since the move I can no longer see my page while I'm in the same LAN as the server, but the pages are visible/functional via the WAN. (confusingly the pages work fine on ONE of my home computers, on the same LAN.
This wasn't a problem prior to moving to the new server, I only had to make entires in the Windows host file and the pages would load as https.
Thank you.

Yeah, for some reason your Apache server uses the cert you have for www.jondowd.com rather than the cert for jondowd.com. See: SSL Checker

Usually the registered name and a www subdomain are in the same cert and used by the same VirtualHost. That is not required and some people prefer it separate. Just noting that you should review your Apache config and which of the certs it should be using for which VHost

Note in the past you did get a cert with both names combined so maybe you just need to repeat that.

image1809×456 106 KB

As for your local networking problem, that's a big outside the scope of what we normally handle. Perhaps someone will comment anyway but that is not related to your certs.

Thank you for your help. I will continue to poke around for the LAN issue,
As for "Usually the registered name and a www subdomain are in the same cert and used by the same VirtualHost. That is not required and some people prefer it separate. Just noting that you should review your Apache config and which of the certs it should be using for which VHost"

Could this be due to utilizing snap install certbot --classic
to install the certificates? Is there a more preferable way?

No. It is related to the command you used to request the certificate

Your most recent only requested a single name in the cert. You did not describe the commands so I couldn't say more. This could be something you did explicitly (like using just one -d value). Or was caused by the way you responded to Certbot prompts. Or, it could be because you re-arranged your Apache config and let Certbot default.

Anyway, since you had a working system before It sounded like you just needed to resume doing whatever you did before.

If you are not sure, please show outputs of these and we can get you sorted out.

sudo certbot certificates
sudo apache2ctl -t -D DUMP_VHOSTS

That's quite the strange renewal pattern there. Almost as if renewals were forced or duplicate certificates are in play..

Yeah, very similar to the problems from last year. And pretty much the same steps to correct this time

TL? (I think things are working, I can see my three little websites when I request them outside of my LAN, so I don't want to trouble you unnecessarily - For fun I moved my server to an SBC, and now only one of the computers shows me my sites while on my home network)

If any of the information submitted below warrants me making changes I will follow your advice. THANK YOU.

Any of my difficulties have been self imposed as I hoped it would be interesting to move my Apache web server to a Single Board Computer, in this case an Orange Pi 5. The OS is Armbian. After getting Apache2 up and running with my three virtual hosts, I attempted to reinstall certificates with Certbot as I had done before. Unable to find my notes, a search led me to certbot.eff.org which in turn led me to these instructions -
Certbot Instructions
I installed Snap Certbot and running it brings the following (I don't remember using Snaap and it didn't look familiar to my prior installation of Certbot, but I proceeded, bringing us to here, today.

The output of sudo certbot

jon@sotw:~$ sudo certbot
[sudo] password for jon:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: www.atomcivigil.net
2: atomicvigil.net
3: jondowd.com
4: www.jondowd.com
5: serveronthewall.com
6: www.serveronthewall.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

The output of sudo certbot certificates
jon@sotw:~$ sudo certbot certificates
[sudo] password for jon:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: atomicvigil.net
Serial Number: 6e6f31d46b0591e719f928af654cd5c4083
Key Type: ECDSA
Domains: atomicvigil.net
Expiry Date: 2025-10-05 18:16:34+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/atomicvigil.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/atomicvigil.net/privkey.pem
Certificate Name: jondowd.com
Serial Number: 6e4a4aff4ddb37fe4a7579f6e069c09d15c
Key Type: ECDSA
Domains: jondowd.com
Expiry Date: 2025-10-05 18:15:46+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/jondowd.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/jondowd.com/privkey.pem
Certificate Name: serveronthewall.com
Serial Number: 6db6a1a6b1651c3e804fddda43452feb85f
Key Type: ECDSA
Domains: serveronthewall.com
Expiry Date: 2025-10-05 18:16:13+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/serveronthewall.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/serveronthewall.com/privkey.pem
Certificate Name: www.jondowd.com
Serial Number: 5813d457b2549ea94bbb64334db1960d9ee
Key Type: ECDSA
Domains: www.jondowd.com
Expiry Date: 2025-10-05 18:16:00+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.jondowd.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.jondowd.com/privkey.pem
Certificate Name: www.serveronthewall.com
Serial Number: 5a0968be3de51dd38f7eee3004a2ca5aec0
Key Type: ECDSA
Domains: www.serveronthewall.com
Expiry Date: 2025-10-05 18:16:21+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.serveronthewall.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.serveronthewall.com/privkey.pem

The output of
sudo apache2ctl -t -D DUMP_VHOSTS
jon@sotw:~$ sudo apache2ctl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
default server atomicvigil.net (/etc/apache2/sites-enabled/atomicvigil.net-le-ssl.conf:2)
port 443 namevhost atomicvigil.net (/etc/apache2/sites-enabled/atomicvigil.net-le-ssl.conf:2)
alias www.atomcivigil.net
port 443 namevhost jondowd.com (/etc/apache2/sites-enabled/jondowd.com-le-ssl.conf:2)
alias www.jondowd.com
port 443 namevhost serveronthewall.com (/etc/apache2/sites-enabled/serveronthewall.com-le-ssl.conf:2)
alias www.serveronthewall.com
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost atomicvigil.net (/etc/apache2/sites-enabled/atomicvigil.net.conf:1)
alias www.atomcivigil.net
port 80 namevhost jondowd.com (/etc/apache2/sites-enabled/jondowd.com.conf:1)
alias www.jondowd.com
port 80 namevhost serveronthewall.com (/etc/apache2/sites-enabled/serveronthewall.com.conf:1)
alias www.serveronthewall.com

I'll walk you through fixing one of them and you can follow the pattern for the others. Mind you, this was the same problem you had last year.

The above are two separate certificates each with one domain name.

And the above is a VirtualHost in Apache that handles both of those domain names.

The problem is that Apache VHost uses only one of the above certificates. So, the "missing" domain won't look valid in browsers.

You need to re-issue the cert your Apache uses to include both names. Do:

sudo certbot --apache --cert-name www.jondowd.com -d jondowd.com -d www.jondowd.com

Certbot will ask if you want to expand the cert to include a new name. Do that.

I used the --cert-name for the www subdomain as that is what you Apache currently uses: SSL Checker

If there are any problems with that let us know. Otherwise, once you confirm both domain names work properly you should delete the obsolete one with:

sudo certbot delete --cert-name jondowd.com

And once that all works repeat the same process for your other two pairs of domain names.

You will need to correct the typo for www.atomicvigil.net in your two Apache config files too. You have it spelled www.atomcivigil.net. Correct this before running the steps above for this pair and note you won't have a certificate to delete since you did not get one for the misspelled name.

My goodness! Your patience is vast and deeply appreciated. I'll make these corrections in the morning.

Sure thing. Please note I just updated the "delete" command. I had used the wrong one ! Oops