Warning: Potential Security Risk Ahead

I used easy-to-follow instructions on https://certbot.eff.org/lets-encrypt/ubuntufocal-apache
for domain www.gitxome.com

This site claims I am setup correctly with an "A" #ohBoy!

I was reading for a solution and see my letsencrypt directory holding the:
root@gitxome:/etc/letsencrypt/live/gitxome.com# ls
cert.pem chain.pem fullchain.pem privkey.pem README

its now 2:28am and I cannot continue to guess..

https://www.gitxome.com its a bit wonky..

2 Likes

Hi @gitxome

see your check - https://check-your-website.server-daten.de/?q=gitxome.com

Issuer not before not after Domain names LE-Duplicate next LE
R3 2020-12-02 2021-03-02 gitxome.com - 1 entries

You have created a certificate only with the main domain. So your www isn't secure, so the result is expected.

Create one certificate with both domain names.

3 Likes

Great Answer, Makes Sense!!
Thank you for helping!

So re-following the instruction document, https://certbot.eff.org/lets-encrypt/ubuntufocal-apache.html
I re-approach from the instruction into my terminal "certbot --apache"

So being a new programmer at 60 years old, staring into the putty window, I wonder to my-self,
"Which names would you like to activate HTTPS for?


1: gitxome.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal"...

and I wonder (since its been two days since I last looked at this..).

• Where does certbot grab the gitxome.com name from...?
and
• I only have these options:

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/gitxome.com.conf)..

not knowing how to add the "www" or a wildcard?

I ponder, can I simply visit /etc/letsencrypt/renewal/gitxome.com.conf and add a line to include the "www" or a * wildcard..?

Instead i re-post to your answer trying to learn something.

Question:
How shall I add the missing necessary "www" during the another new-install process?
What about a wildcard so I don't have to add individual sub domain names?

Guten Tag Juergen!

2 Likes

Welcome to the Let's Encrypt Community, Buddy :slightly_smiling_face:

Please follow @Osiris's advice in the next post before trying the commands I have given.


Try this:

certbot run --cert-name gitxome.com --apache -d "gitxome.com,www.gitxome.com" --keep


This requires using dns-01 challenges that can be difficult to automate as they require some means of updating DNS records via script. The command to obtain such a wildcard certificate manually would be:

certbot run --cert-name gitxome.com -a manual --preferred-challenges dns -d "gitxome.com,*.gitxome.com" -i apache --keep

During this command, you'll be prompted to add two TXT records to your DNS zone. Both TXT records will have a host/name of _acme-challenge.gitxome.com. , but their values (given by certbot) will be two different, crazy-looking strings.

1 Like

When you use --apache, the apache authenticator will grab the hostnames from your Apache configuration. So it seems you didn't actively add a www subdomain to your Apache configuration files, which you can verify by running apachectl -S: it will show you all the virtualhosts and corresponding hostnames associated with it (plus some more config info).

While your www subdomain might work now (probably because you only have a single vhost configured, so also the foo and bar subdomain will end up at your site..), I would recommend to specify the hostnames you require (with aid of the ServerAlias directive) and don't rely on "I guess it'll work anyway". Especially if you'd like to add another vhost in the future: that second vhost won't be the default vhost, so then you would need to specify any subdomain anyway. Better get it right the first time too and not wait for future issues to arise.

2 Likes

As @Osiris explained: Add the www ServerAlias to your vHost, recheck it with apachectl -S, then Certbot should show both domain names.

A wildcard isn't required if you need only two domain names.

2 Likes

hmmm..
Ubuntu 20.04, Certbot Fun & Games.. I edited my sites-available/gitxome.conf to include www.gitxome.com, instead of *.gitxome.com, and thereafter..

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.gitxome.com/fullchain.pem
Your key file has been saved at:

Thank you for the explanation of using the wildcard!

2 Likes

Hm, funny, the apache plugin doesn't recognise a wildcard ServerAlias/ServerName? Although with just the apex domain and the www subdomain a wildcard is not necessary, I would think the apache plugin would at least support it..

https://github.com/certbot/certbot/issues/8511 made a GitHub issue about that, the WONTFIX from 2016 isn't accurate any longer..

2 Likes

Thank you Osiris and/or..
I have another unknown close to the original https:// issue..
(this is hello-world REACT page/port :3000)
Secure Connection Failed
An error occurred during a connection to https://www.gitxome.com:3000. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG

I'm in uncharted territory
It does work with http://www.gitxome.com:3000 or http://gitxome.com:3000
but not https:// ? hmmm again.

2 Likes

with respect to the *.gitxome.com conf file, Apache did in-fact accept a misc sub domain as I had also added the *.gitxome.com to the CloudFlare DNS (I'd ONLY added a * and not a www).
My mention was that the certbot setup did not present the * as a numbered option.
option 1 gitxome.com
option 2 www.gitxome.com
not
option 3 *.gitxome.com >I think you understand, understood.

2 Likes

If you install TLS with a certificate for the main site on port 80/443, that doesn't mean everything is suddenly capable of TLS.

I'm not sure how your "hello-world REACT page" actually works though.. Is it a separate service running beside your Apache? Or is it a different virtualhost within Apache? In any case, if you also would like that service to have TLS, you should install the certificate manually I'm afraid.

Yes, the Apache webserver does understand the wildcard properly, but the apache certbot plugin doesn't. Also, DNS is a separate thing entirely :wink:

Indeed, for this I've opened an issue on GitHub already, as I think this is a bug in certbot.

2 Likes

Rad, (thanks with expression) ..as I used to say.

2 Likes

certbot: error: unrecognized arguments: --dns-cloudflare-credentials //Should I have started a new topic?

For cloudflare DNS TXT
-installed pip3 for Cloudflare on Ubuntu 20.04.

Purpose PORT other than 80 or 443:
ie: https://GitXome.com:3000
With respect to using Certbot for port 3000 (for testing of a REACT NATIVE hello-world test-page).

commands:

certbot certonly \

--dns-cloudflare
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini
-d gitxome.com
-d www.gitxome.com
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini

Pausing for more knowledge..

1 Like

I'm trying to remedy the TSL for (no browser https:// security lock): http://gitxome.com:3000/

1 Like

curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \

 -H "Authorization: Bearer fakeTOKENklsdhfgjhdfgkjdfgkljdfgklj" \
 -H "Content-Type:application/json"

{"result":{"id":"fakeTOKENklsdhfgjhdfgkjdfgkljdfgklj","status":"active","not_before":"2020-12-07T00:00:00Z","expires_on":"2021-01-01T23:59:59Z"},"success":true,"errors":,"messages":[{"code":10000,"message":"This API Token is valid and active","type":null},{"code":10003,"message":"This API Token was expired at 2021-01-01T23:59:59Z","type":null}]}buddy@tranceportals:~$

I added a DNS TXT Record at Cloudflare not knowing what to include within it for TSL Handshaking.

1 Like

@gitxome If you have a certificate for gitxome.com on port 443, you can use that same certificate for port 3000.

1 Like

I allowed a day to pass without revisiting any thoughts of certbot or my new server. ugh.
Today, SSH attempts then exposed how my new, bigger-battery upgrade had died because I haphazardly detached the old, newly discovered fancy power cable elbow attachment addition -and I'd slid the old/new fecal fossa Ubuntu Laptop back into its safe, secret, hidden place, along the wall on the only empty ledge-space by the side of the big bookshelf, shed-like, tool..

So wouldn't it be nifty if I could add <VirtualHost *:3000> to the gitxome.conf within the apache2/sites-available directory, directly, to be detected and presented by certbot's wizardly daring?

Ports other than 80 and 443 could be .. hmmm there was lots of information I'd read two days ago on this exciting site: https://certbot.eff.org/docs/using.html#configuration-file -including a link to my DNS Host, https://certbot-dns-cloudflare.readthedocs.io/en/stable/ where I'd went as-far as to create an encrypted authorization key, pasting it [unsaved] into notepad++for safe keeping even after three reboots of my vindows10 verkbeast.

I fret that I'm pretty-much stuk'd with regard to adding any additional ports to-be translated through certbots specialized negotiating skills with the deep-subject of TSL, not to mention SSL technologies, causing all of the major web browsers threatening ominous warning feature -that dreaded, unbearable, "unlocked" lock icon to magically change into the beautiful, much sought-after, certificate of merit, safety-insight pleasure, fabulously bona-fide, smiling, securely locked, confirmation icon!

uh. (sorry about all the extra wordy glamour)..

A special shout-out to Let's Encrypt Engineer, Jacob Hoffman-Andrews, who promoted my status trust level! Truly, I'm merely an Artist with some big-dreams, striving to bring something amazing to-the-world, where some of the major hurdles on my sixty journey have been the technical distractions outside the scope of my psychedelic hypnosis experience. I call it #THIStm and I say, #GitXome! (but I need your help),

Thank you, all.

2 Likes

I don't know if that's possible, but you can enable TLS manually for that virtualhost too. (I didn't know the port 3000 was running Apache, I thought it was another, different service?)
Do note that when HTTPS is enabled, HTTP won't work any longer.

1 Like

To get REACT to work with my Ubuntu Laptop, I also installed other packages. Node might be the server I launched using the npm start command which shows a woopy-do spinning REACT Logo. The goal I am aiming toward is an App I can't seem to make function, yet, and that REACT Program App will produce MIDI Pads on a different port (will also need https://www.gitxome.com:some-other-port).
My understanding of TSL was based upon an explanation given to me by a smart techie friend employed at UCLA, as SSL had reached its limit and an even more secure TSL was created..

1 Like

uh, I see that's TLS ~doh!

1 Like