Wrong URL for Certificate

Hi, I have got the following problem:
I want to host multiple websites from my home and to realize that

1. I bought an IP: serverwolf.de and connected it to my FritzBox: (Connection works fine)
   filme.serverwolf.de CNAME ly5xsl2tbp9n23dj.myfritz.net
   also got rid of DNS Rebind in the FritzBox

2. Created Reverse Proxy in Apache Debian 10 with Certbot
   (The reverse Proxy points to another server in my Lan network)

    <VirtualHost *:80>
    ServerName filme.serverwolf.de
    ProxyPreserveHost On
    DocumentRoot /var/www/html
   
    #redirect to https
    #Redirect permanent / https://filme.serverwolf.de/
   
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
   
    ProxyPass /.well-known !
    ProxyPass / http://192.168.178.94:8096/
    ProxyPassReverse / http://192.168.178.94:8096/
   
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =filme.serverwolf.de
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    </VirtualHost>
   

certbot then created

    <IfModule mod_ssl.c>
    <VirtualHost *:443>
    ServerName filme.serverwolf.de
    ProxyPreserveHost On
    DocumentRoot /var/www/html

    #redirect to https
    #Redirect permanent / https://filme.serverwolf.de/

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.

    ProxyPass /.well-known !
    ProxyPass / http://192.168.178.94:8096/
    ProxyPassReverse / http://192.168.178.94:8096/


    SSLCertificateFile /etc/letsencrypt/live/filme.serverwolf.de-0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/filme.serverwolf.de-0001/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    </VirtualHost>
    </IfModule>

3. When I try to access the website now it tells me
   
   

   image1073×739 77.3 KB

I think the problem is, that the certificate is signed for ly5xsl2tbp9n23dj.myfritz.net, not the actual URL I am using (https://filme.serverwolf.de/). This setup was working twice for some time but eventually it stopped working after some time (< few Hours). I am pretty new to all this and really don't know what to do here. Maybe someone has an Idea how I can fix my Problem?

Thank you in advance!
Simon Wolf

Hi @sim0nw0lf,

The certificate in your browser ("Gültig ab 30.12.2020 bis 15.01.2038") isn't your Let's Encrypt certificate. First, it's self-signed (not issued by a certificate authority at all), and second, Let's Encrypt certificates are valid for 90 days, not 6225 days like this certificate.

The certificate you're seeing was probably generated by the FritzBox itself or by some other device on your network, so you should check your port forwarding.

@schoen thanks for your fast reply!
Ok, I am wondering where this error comes from.
My Ports are opened and you can reach it on this URL aswell which works http://simonwolf.ddns.net:8096/. (Its my FritzBox DynDNS)
Internet Explorer is saying that the hostname in the certificate of the website is different from the website I am trying to reach.

Diese Website ist nicht sicher.

Dem Sicherheitszertifikat dieser Website wird von Ihrem PC nicht vertraut.
Der Hostname im Sicherheitszertifikat der Website unterscheidet sich von der Website, die Sie besuchen möchten.

Fehlercode: DLG_FLAGS_INVALID_CA
DLG_FLAGS_SEC_CERT_CN_INVALID

Da diese Website HTTP Strict Transport Security (HSTS) verwendet, können Sie derzeit nicht zu dieser Website wechseln.

Do you need any other information to get a better overview of the issue?

Apache is answering for http://filme.serverwolf.de/
But I don't see the redirection.
That makes me think that your Apache configuration may not be perfect.
[Apache is notorious for running at all cost]

Please show us the output of:
apachectl -S

root@nextcloudpi:/etc/apache2/sites-available# apachectl -S
VirtualHost configuration:
*:443                  filme.serverwolf.de (/etc/apache2/sites-enabled/jellyfin-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server filme.serverwolf.de (/etc/apache2/sites-enabled/jellyfin-le-ssl.conf:24)
         port 80 namevhost filme.serverwolf.de (/etc/apache2/sites-enabled/jellyfin-le-ssl.conf:24)
         port 80 namevhost filme.serverwolf.de (/etc/apache2/sites-enabled/jellyfin.conf:1)
*:4443                 localhost (/etc/apache2/sites-enabled/ncp.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

         port 80 namevhost filme.serverwolf.de (/etc/apache2/sites-enabled/jellyfin-le-ssl.conf:24)
         port 80 namevhost filme.serverwolf.de (/etc/apache2/sites-enabled/jellyfin.conf:1)

There is the problem.
The same IP:port:FQDN is used in two files - that is a overlap.

Based on the file names the first should only have port 443 and the second port 80.
But the first has 443 and 80.

Fixed that:

root@nextcloudpi:/etc/apache2/sites-available# apachectl -S

VirtualHost configuration:

*:443                  filme.serverwolf.de (/etc/apache2/sites-enabled/jellyfin-le-ssl.conf:2)
*:80                   filme.serverwolf.de (/etc/apache2/sites-enabled/jellyfin-le-ssl.conf:24)
*:4443                 localhost (/etc/apache2/sites-enabled/ncp.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Problem is still the same. Should this config file be working?

    <IfModule mod_ssl.c>
    <VirtualHost *:443>
    ServerName filme.serverwolf.de
    ProxyPreserveHost On
    DocumentRoot /var/www/html

    #redirect to https
    #Redirect permanent / https://filme.serverwolf.de/

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.

    ProxyPass /.well-known !
    ProxyPass / http://192.168.178.94:8096/
    ProxyPassReverse / http://192.168.178.94:8096/


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/filme.serverwolf.de-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/filme.serverwolf.de-0001/privkey.pem
</VirtualHost>
    </IfModule>
    <IfModule mod_ssl.c>
    <VirtualHost *:80>
    ServerName filme.serverwolf.de
    ProxyPreserveHost On
    DocumentRoot /var/www/html

    #redirect to https
    #Redirect permanent / https://filme.serverwolf.de/

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.

    ProxyPass /.well-known !
    ProxyPass / http://192.168.178.94:8096/
    ProxyPassReverse / http://192.168.178.94:8096/

RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =filme.serverwolf.de
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>
</IfModule>

Uncomment the last two lines.

You need the redirection when HTTP is used.
OR this one line:

And the HTTP section is within an IfModule that doesn't make sense.
It says, if SSL enabled then do this section (which has no SSL).
You can remove those two lines.

You also don't need to proxy anything in the HTTP section; as you will be forwarding everything to HTTPS section.

Here I cleaned it up for you:

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName filme.serverwolf.de
    ProxyPreserveHost On
    DocumentRoot /var/www/html
    ProxyPass /.well-known !
    ProxyPass / http://192.168.178.94:8096/
    ProxyPassReverse / http://192.168.178.94:8096/
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/filme.serverwolf.de-0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/filme.serverwolf.de-0001/privkey.pem
  </VirtualHost>
</IfModule>

<VirtualHost *:80>
    ServerName filme.serverwolf.de
    DocumentRoot /var/www/html
    Redirect permanent / https://filme.serverwolf.de/
</VirtualHost>

This "-0001" is a bit interesting to me now.
Please show the output of:
certbot certificates

Thank you very much for your help!
I applied the changes but unfortunately it doesn't work still. You can try yourself and see the result I guess.

What seems weird to me is that https://simonwolf.ddns.net/ is redirected aswell. I thought only the Subdomain would be sent to my other server

What exactly doesn't work.
I now see the redirection, so it is doing what we put in the server block.

Everything that hits this system for HTTP will match or be matched by the default HTTP block.
As there is now only one HTTP block (it becomes the default), all HTTP connections will be redirected to: https://filme.serverwolf.de/
Even: http://95.116.252.54/ will be redirected.

That is a mess honestly I just deleted the Simonwolf.ddns.net cert because I didn't want to use it and my browser showed that I was...
the 001 is just because I renewed it and it was already there

root@nextcloudpi:/etc/apache2/sites-available# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/simonwolf.ddns.net.conf produced an unexpected error: expected /etc/letsencrypt/live/simonwolf.ddns.net/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: filme.serverwolf.de-0001
    Serial Number: 42ee2c4580a24a4d80f8563c0799d0d1c79
    Key Type: RSA
    Domains: filme.serverwolf.de
    Expiry Date: 2021-03-30 03:50:24+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/filme.serverwolf.de-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/filme.serverwolf.de-0001/privkey.pem
  Certificate Name: filme.serverwolf.de
    Serial Number: 43b53b54b4b71bda2c25fb7d01dfa0cfa2a
    Key Type: RSA
    Domains: filme.serverwolf.de usenet.serverwolf.de www.serverwolf.de
    Expiry Date: 2021-03-30 02:57:24+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/filme.serverwolf.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/filme.serverwolf.de/privkey.pem
  Certificate Name: lovi-back.ddns.net
    Serial Number: 3f9d9e01cb0bb77cb5aab926571922922db
    Key Type: RSA
    Domains: lovi-back.ddns.net
    Expiry Date: 2020-11-09 10:22:21+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/lovi-back.ddns.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lovi-back.ddns.net/privkey.pem
  Certificate Name: usenet.serverwolf.de
    Serial Number: 3299679a0a6c9d22b84ef4edd6e49aa8bfe
    Key Type: RSA
    Domains: usenet.serverwolf.de
    Expiry Date: 2021-03-30 02:26:25+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/usenet.serverwolf.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/usenet.serverwolf.de/privkey.pem
  Certificate Name: www.serverwolf.de
    Serial Number: 4786807b9df71537ddf54544d1267e498df
    Key Type: RSA
    Domains: www.serverwolf.de
    Expiry Date: 2021-03-30 03:09:11+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.serverwolf.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.serverwolf.de/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/simonwolf.ddns.net.conf

You have five active certificates.
Four have individual names.
But one has three of those names in it:

Certificate Name: filme.serverwolf.de-0001
Domains: filme.serverwolf.de

Certificate Name: filme.serverwolf.de
Domains: filme.serverwolf.de usenet.serverwolf.de www.serverwolf.de

Certificate Name: lovi-back.ddns.net
Domains: lovi-back.ddns.net

Certificate Name: usenet.serverwolf.de
Domains: usenet.serverwolf.de

Certificate Name: www.serverwolf.de
Domains: www.serverwolf.de

This part is interesting (and needs fixing):
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/simonwolf.ddns.net.conf

I think you could just use the one cert with the three names on it and delete the single named certs.
Although, looking back, I don't see any of those other names in the Apache config...

all HTTP connections will be redirected to: https://filme.serverwolf.de/

Right!! Even to I just wanted only filme.serverwolf.de to be redirected

There are two ways to fix that.

1. The correct way
   This requires creating a new default (catch-all) vhost config for HTTP.
   This config will just return something like "Nothing to see here - go away"
2. The easy way
   Modify the current redirection to only redirect that one name.
   But that leaves a hole that Apache will try to fill with that same config.
   And the config won't be redirecting them... So what will that config do?
   It will send them to the local Document Root folder listed in the file - bad result

Yes, as I said. I deleted the folder...
I am not using this cert. so It shouldn't be an issue and my problem existed before I deleted the folder

You are right, I could probably use just that one cert where all domains are embedded

You should never delete/move/remove anything contained in the /etc/letsencypt/ folders manually.
There are commands to have certbot do whatever you need it to do.
In this case (it would have been):
certbot delete --cert-name simonwolf.ddns.net

So, which will it be:
The correct way?
OR
The easy way?

[to fix the excessive redirections]