Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
In addition to the current certificate not covering www.hprauto.com, no intermediate certificates are being served for either hprauto.com or www.hprauto.com.
The certificate being served for www.hprauto.com does not include www.hprauto.com. When many people visit https://www.hprauto.com, they will be shown a warning about the website being unsecure before being redirected. Depending upon your visitors' browsers, the lack of intermediate certificates being served by hprauto.com and www.hprauto.com can result in both addresses being considered unsecure due to presenting incomplete certificate chains. Additionally, none of the cipher suites being used support forward secrecy.
First of all, I really appreciate the time you are taking to help me out. This is my first foray into certificates. When I first initiated the request I listed hprauto.com and www.hprauto.com a domains. I see now that the certificate only applies to hprauto.com because that is the domain established with my internet provider. I see the cipher suite. Two questions. My webserver is Apache. I assume that the cipher suite needs to be placed into the httpd-vhosts.conf file, correct. The other question is that I have another domain listed at the same IP address. Will adding that cipher suite cause this other domain to be redirected to the secure site. I do not have a certificate for that site. Thank you in advance for your help.
Hopefully we haven't come across too demandingly. We want you to truly succeed in your certificate endeavors.
When you registered hprauto.com with your domain register (Network Solutions), all of its subdomains came included. You have A records in your DNS for both hprauto.com and www.hprauto.com that point to a live webserver, so you need a certificate to cover both names.
I see no such certificate ever issued:
Certbot should have set these for you in its own include file if you used the apache installer.
Ah, @griffin beat me to it. No need to read this unless you want to as it mostly duplicates his advice.
Last first, let's talk about that Mozilla configuration recommendation:
The section about rewriting (all the lines that start with Rewrite, such as RewriteCond and RewriteRule and their enclosing VirtualHost condition) are the part of Mozilla's recommendation that upgrades people to HTTPS. So you should not apply this for the site for which you don't have a certificate, if unsure, leave all those lines out altogether for now. The part nearer the bottom from the line starting SSLProtocol is the part that would improve the security of the site for visitors by using more modern ciphers and so that's the change which is more important to integrate.
While you're in the Apache configuration (and before telling Apache to reload the configuration) look for SSLCertificateFile and see if it's currently set to a path ending in fullchain.pem, if it isn't, this may be why your site fails that "Chain" check somebody else mentioned. This may not have any apparent effect for you, but it can cause problems on some browsers, so better fix it if possible by using the fullchain.pem file.
You might look at whether you can just ask Certbot to expand your certificate to include the name www.hprauto.com as well. It sounds like these are essentially the same web site, on the same machine, in which case it could be as simple as:
I personally despise using rewrites when there's a much better way.
Avoid them:
A common use for RewriteRule is to redirect an entire class of URLs. For example, all URLs in the /one directory must be redirected to http://one.example.com/, or perhaps all http requests must be redirected to https.
These situations are better handled by the Redirect directive.
That is the command that I used to create the certificate but I only received it for hprauto.com. I assume in retrospect that I did not get a certificate for www.hprauto.com because it was listed as a domain. I had set the path to where the fullchain.pem file was but got an error saying it was missing or empty. You are correct, the only reason I have www.hprauto.com as a site is to redirect users to hprauto.com. Thanks for responding.
I'll give that a try. I originally used the command recommended by tialaramex and it gave me an option to expand but then I got an error stating that the http-01 challenge for www.hprauto.com could not be found.