Hi, I have an AWS Lightsail instance and want to use LetsEncrypt. I followed the usual guides from
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress
but only the non-www domain works fine. The www address fails to load in Edge and Safari (but also Chrome accepts it).
https://www.alorscestquoi.ca (fails in Safari and Edge, works in Chrome)
https://alorscestquoi.ca (works in Safari, Edge, Chrome)
Any ideas what it could be? Thanks a lot!
1 Like
Hi @Sebastian41
you have created some certificates ( https://check-your-website.server-daten.de/?q=wfbrace.net#ct-logs ):
Issuer
not before
not after
Domain names
LE-Duplicate
next LE
Let’s Encrypt Authority X3
2019-08-01
2019-10-30
*.alorscestquoi.ca, alorscestquoi.ca
2 entries
duplicate nr. 2
Let’s Encrypt Authority X3
2019-08-01
2019-10-30
www.alorscestquoi.ca
1 entries
duplicate nr. 1
Let’s Encrypt Authority X3
2019-08-01
2019-10-30
alorscestquoi.ca, www.alorscestquoi.ca
2 entries
duplicate nr. 1
Let’s Encrypt Authority X3
2019-08-01
2019-10-30
*.alorscestquoi.ca, alorscestquoi.ca
2 entries
duplicate nr. 1
Let’s Encrypt Authority X3
2019-07-07
2019-10-05
alorscestquoi.ca
1 entries
But you use the wrong certificate with only one domain name:
CN=alorscestquoi.ca
07.07.2019
05.10.2019
expires in 65 days alorscestquoi.ca - 1 entry
So your www version isn’t secure.
Browsers cache redirects or preferred versions, so you can’t check that with a browser.
Install the certificate with both domain names or install the wildcard certificate.
1 Like
Thanks for your detailed explanation! But I still can’t figure out what’s causing it? This is how I create my certificate:
$ DOMAIN=alorscestquoi.ca
$ WILDCARD=*.$DOMAIN
$ sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/alorscestquoi.ca-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/alorscestquoi.ca-0002/privkey.pem
Your cert will expire on 2019-10-30
[...]
$ sudo /opt/bitnami/ctlscript.sh stop
$ sudo ln -s /etc/letsencrypt/live/$DOMAIN-0002/privkey.pem /opt/bitnami/apache2/conf/server.key
$ sudo ln -s /etc/letsencrypt/live/$DOMAIN-0002/fullchain.pem /opt/bitnami/apache2/conf/server.crt
$ sudo /opt/bitnami/ctlscript.sh start
httpd started at port 80
[...]
And I can’t see any issues with this, since I use exactly the certificate that got created. Any ideas what I am missing here?
1 Like
As written. Your last / newest certificate is a wildcard certificate. But you don't use it. Perhaps *
doesn't work correct in your environment.
What says
certbot certificates
PS: Or you have an orphaned Bitnami process. So a hard reboot may be helpful.
1 Like
I tried a restart but that didn’t solve the issue.
$ sudo certbot certificates
Renewal configuration file /etc/letsencrypt/renewal/alorscestquoi.ca-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/al
orscestquoi.ca-0001/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/alorscestquoi.ca.conf produced an unexpected error: expected /etc/letsencrypt/live/alorsce
stquoi.ca/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/www.alorscestquoi.ca.conf produced an unexpected error: expected /etc/letsencrypt/live/www
.alorscestquoi.ca/cert.pem to be a symlink. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: alorscestquoi.ca-0002
Domains: alorscestquoi.ca *.alorscestquoi.ca
Expiry Date: 2019-10-30 19:00:37+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/alorscestquoi.ca-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/alorscestquoi.ca-0002/privkey.pem
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/alorscestquoi.ca-0001.conf
/etc/letsencrypt/renewal/alorscestquoi.ca.conf
/etc/letsencrypt/renewal/www.alorscestquoi.ca.conf
And it seems my “installed” certificate -0002 seems to be quite right. It contains the non-www and a wildcard certificate.
1 Like
Do you think its worth to try a simple www. certificate instead of the wildcard?
1 Like
Then check the next rows.
Is the result correct? Is /opt/bitnami/apache2/conf correct?
Sebastian41:
alorscestquoi.ca
You use the certificate created 2019-07-07, so the bitnami part is wrong.
1 Like
That's not the problem, your bitnami use the wrong certificate.
1 Like
You made my day! I had indeed typo in the path where the certificates are stored, serve.crt, where an older certificate was stored though. Thanks and vielen vielen lieben Dank!
4 Likes
system
Closed
August 31, 2019, 8:44pm
11
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.