Www does not work with Let's Encrypt

Hi, I have an AWS Lightsail instance and want to use LetsEncrypt. I followed the usual guides from
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

but only the non-www domain works fine. The www address fails to load in Edge and Safari (but also Chrome accepts it).

https://www.alorscestquoi.ca (fails in Safari and Edge, works in Chrome)
https://alorscestquoi.ca (works in Safari, Edge, Chrome)

Any ideas what it could be? Thanks a lot!

1 Like

Hi @Sebastian41

you have created some certificates ( https://check-your-website.server-daten.de/?q=wfbrace.net#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-08-01 2019-10-30 *.alorscestquoi.ca, alorscestquoi.ca
2 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-08-01 2019-10-30 www.alorscestquoi.ca
1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-08-01 2019-10-30 alorscestquoi.ca, www.alorscestquoi.ca
2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-08-01 2019-10-30 *.alorscestquoi.ca, alorscestquoi.ca
2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-07-07 2019-10-05 alorscestquoi.ca
1 entries

But you use the wrong certificate with only one domain name:

CN=alorscestquoi.ca
	07.07.2019
	05.10.2019
expires in 65 days	alorscestquoi.ca - 1 entry

So your www version isn’t secure.

Browsers cache redirects or preferred versions, so you can’t check that with a browser.

Domainname Http-Status redirect Sec. G
• http://alorscestquoi.ca/
52.60.206.14 301 https://alorscestquoi.ca/ 0.427 A
• http://www.alorscestquoi.ca/
52.60.206.14 301 https://www.alorscestquoi.ca/ 0.414 A
• https://alorscestquoi.ca/
52.60.206.14 200 4.270 B
• https://www.alorscestquoi.ca/
52.60.206.14 200 4.160 N
Certificate error: RemoteCertificateNameMismatch

Install the certificate with both domain names or install the wildcard certificate.

1 Like

Thanks for your detailed explanation! But I still can’t figure out what’s causing it? This is how I create my certificate:

$ DOMAIN=alorscestquoi.ca
$ WILDCARD=*.$DOMAIN
$ sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly
    - Congratulations! Your certificate and chain have been saved at:
        /etc/letsencrypt/live/alorscestquoi.ca-0002/fullchain.pem
        Your key file has been saved at:
        /etc/letsencrypt/live/alorscestquoi.ca-0002/privkey.pem
        Your cert will expire on 2019-10-30
        [...]
$ sudo /opt/bitnami/ctlscript.sh stop
$ sudo ln -s /etc/letsencrypt/live/$DOMAIN-0002/privkey.pem /opt/bitnami/apache2/conf/server.key
$ sudo ln -s /etc/letsencrypt/live/$DOMAIN-0002/fullchain.pem /opt/bitnami/apache2/conf/server.crt
$ sudo /opt/bitnami/ctlscript.sh start
    httpd started at port 80
    [...]

And I can’t see any issues with this, since I use exactly the certificate that got created. Any ideas what I am missing here?

1 Like

As written. Your last / newest certificate is a wildcard certificate. But you don't use it. Perhaps * doesn't work correct in your environment.

What says

certbot certificates

PS: Or you have an orphaned Bitnami process. So a hard reboot may be helpful.

1 Like

I tried a restart but that didn’t solve the issue.

$ sudo certbot certificates
    Renewal configuration file /etc/letsencrypt/renewal/alorscestquoi.ca-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/al
    orscestquoi.ca-0001/cert.pem to be a symlink. Skipping.
    Renewal configuration file /etc/letsencrypt/renewal/alorscestquoi.ca.conf produced an unexpected error: expected /etc/letsencrypt/live/alorsce
    stquoi.ca/cert.pem to be a symlink. Skipping.
    Renewal configuration file /etc/letsencrypt/renewal/www.alorscestquoi.ca.conf produced an unexpected error: expected /etc/letsencrypt/live/www
    .alorscestquoi.ca/cert.pem to be a symlink. Skipping.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Found the following certs:
    Certificate Name: alorscestquoi.ca-0002
        Domains: alorscestquoi.ca *.alorscestquoi.ca
        Expiry Date: 2019-10-30 19:00:37+00:00 (VALID: 89 days)
        Certificate Path: /etc/letsencrypt/live/alorscestquoi.ca-0002/fullchain.pem
        Private Key Path: /etc/letsencrypt/live/alorscestquoi.ca-0002/privkey.pem

    The following renewal configurations were invalid:
    /etc/letsencrypt/renewal/alorscestquoi.ca-0001.conf
    /etc/letsencrypt/renewal/alorscestquoi.ca.conf
    /etc/letsencrypt/renewal/www.alorscestquoi.ca.conf

And it seems my “installed” certificate -0002 seems to be quite right. It contains the non-www and a wildcard certificate.

1 Like

Do you think its worth to try a simple www. certificate instead of the wildcard?

1 Like

Then check the next rows.

Is the result correct? Is /opt/bitnami/apache2/conf correct?

You use the certificate created 2019-07-07, so the bitnami part is wrong.

1 Like

That's not the problem, your bitnami use the wrong certificate.

1 Like

You made my day! I had indeed typo in the path where the certificates are stored, serve.crt, where an older certificate was stored though. Thanks and vielen vielen lieben Dank!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.