Www.grahamrmc.com


#1

When I configured my web server to get a SSL Certificate it got the full fqdn on the server which is grmc-web.grahamrmc.com

I have a public dns record that points www and grmc-web to the public dns ip address

I put the following code in my .htaccess file to make sure all my traffic is on port 443

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://grmc-web.grahamrmc.com/$1 [R,L]

Can I change the RewriteRule to https://grahamrmc.com so website visitors don’t see the fqdn of my web server?


#2

I can enter www.grahamrmc.com in the url and it takes me right to the fqdn of the webserver.

I noticed going to https://grahamrmc.com returns a not secured check in google chrome…


#3

Hi @Bogle

you can’t check that with a browser. A browser caches redirects, sometimes certificates and https. Use online tools:

Checking your domain via https://check-your-website.server-daten.de/?q=grahamrmc.com

Domainname Http-Status redirect Sec. G
http://grahamrmc.com/
12.5.52.50 302 https://grmc-web.grahamrmc.com/ 0.293 E
http://www.grahamrmc.com/
12.5.52.50 302 https://grmc-web.grahamrmc.com/ 0.290 E
https://grahamrmc.com/
12.5.52.50 200 7.317 N
Certificate error: RemoteCertificateNameMismatch
https://www.grahamrmc.com/
12.5.52.50 200 7.074 N
Certificate error: RemoteCertificateNameMismatch
https://grmc-web.grahamrmc.com/ 200 7.230 A

The certificate has only one domain name:

CN=grmc-web.grahamrmc.com
	10.01.2019
	10.04.2019
	grmc-web.grahamrmc.com - 1 entry

So both domain names grahamrmc.com and www.grahamrmc.com are insecure.

But: You have that

so your redirect to grmc-web is wrong. Remove this redirect, this isn’t required.

Your fqdn is only visible if you create a redirect.

If your dns entry of www.grahamrmc.com has this ip address, there is no need to redirect to your fqdn.


#4

Thanks for the quick response. I removed the https redirect but not sure how to proceed with renewing the SSL certificate. I should have bought a Wildcard certificate since I have purchase 3 PositiveSSL Multi-Domain Certificates in the past year from namecheap.com


#5

The website was on a hosting provider’s shared hosting server and it took up to 20 seconds for the first webpage to load. I built a virtual CentOS 7 LAMP server and followed the steps to get a SSL Certificate from Let’s Encrypt using the server name.


#6

Yep, now there is no such wrong redirect. You see:

Domainname Http-Status redirect Sec. G
http://grahamrmc.com/
12.5.52.50 200 0.920 H
http://www.grahamrmc.com/
12.5.52.50 200 0.920 H
https://grahamrmc.com/
12.5.52.50 200 7.076 N
Certificate error: RemoteCertificateNameMismatch
https://www.grahamrmc.com/
12.5.52.50 200 7.070 N
Certificate error: RemoteCertificateNameMismatch
http://grahamrmc.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
12.5.52.50 404 0.957 A
Not Found
http://www.grahamrmc.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
12.5.52.50 404 0.917 A
Not Found

Now the http status is 200, the url is unchanged. Now create a certificate. Perhaps use Certbot.


#7

Again thank you for your feedback, I really appreciate it.

I used Certbot on my Centos 7 server…I am searching for the command I used to generate the certificate to see exactly what I typed so I can figure out how to regenerate the certificate with grmc-web.grahamrmc.com , grahamrmc.com, and www.grahamrmc.com


#8

Try:
history | grep -Ei 'certbot|letsencrypt


#9

That didn’t return any results, Will the let’s encrypt logs say exactly how I did this?


#10

Perhaps…
If they go back far enough.


#11

I removed all the hyperlinks and tried to clean this up a little…

looking under /var/log/letencrypt/ directory

This is what it said today…
2019-02-05 14:12:51,585:DEBUG:certbot.main:certbot version: 0.29.1
2019-02-05 14:12:51,585:DEBUG:certbot.main:Arguments:
2019-02-05 14:12:51,585:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-05 14:12:51,644:DEBUG:certbot.log:Root logging level set at 20
2019-02-05 14:12:51,644:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-05 14:12:51,996:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/grmc-web.grahamrmc.com/cert.pem
2019-02-05 14:12:51,999:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/grmc-web.grahamrmc.com/chain.pem -cert /etc/letsencrypt/live/grmc-web.grahamrmc.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/grmc-web.grahamrmc.com/chain.pem -verify_other /etc/letsencrypt/live/grmc-web.grahamrmc.com/chain.pem -trust_other -header Host ocsp.int-x3.letsencrypt.org

Certificate was created back in January

Server says nginx instead of apache below, not sure what that means.

2019-01-09 20:31:48,167:DEBUG:certbot.main:certbot version: 0.29.1
2019-01-09 20:31:48,168:DEBUG:certbot.main:Arguments: [’–webroot’, ‘-w’, ‘/var/www/html/’, ‘–renew-by-default’, ‘–email’, ‘admin@grahamrmc.com’, ‘–text’, ‘–agree-tos’, ‘-d’, ‘grmc-web.grahamrmc.com’]
2019-01-09 20:31:48,168:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-01-09 20:31:48,215:DEBUG:certbot.log:Root logging level set at 20
2019-01-09 20:31:48,216:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-01-09 20:31:48,217:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-01-09 20:31:48,219:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f05d904fb10>
Prep: True
2019-01-09 20:31:48,219:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f05d904fb10> and installer None
2019-01-09 20:31:48,219:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2019-01-09 20:31:48,269:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/49238450’, new_authzr_uri=None, terms_of_service=None), 3803d51f4c46547056d0f17b71c9214e, Meta(creation_host=u’netmon.noc.grahamrmc.com’, creation_dt=datetime.datetime(2019, 1, 10, 2, 15, 25, tzinfo=)))>
2019-01-09 20:31:48,312:DEBUG:acme.client:Sending GET request to
2019-01-09 20:31:48,328:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-01-09 20:31:53,433:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 658
2019-01-09 20:31:53,435:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
expires: Thu, 10 Jan 2019 02:31:53 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Thu, 10 Jan 2019 02:31:53 GMT
x-frame-options: DENY
content-type: application/json

2019-01-09 20:31:53,438:INFO:certbot.main:Obtaining a new certificate
2019-01-09 20:31:53,788:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0005_key-certbot.pem
2019-01-09 20:31:53,793:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem
2019-01-09 20:31:53,794:DEBUG:acme.client:Requesting fresh nonce
2019-01-09 20:31:53,794:DEBUG:acme.client:Sending HEAD request to
2019-01-09 20:31:53,843:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-nonce HTTP/1.1” 204 0
2019-01-09 20:31:53,844:DEBUG:acme.client:Received response:
HTTP 204
expires: Thu, 10 Jan 2019 02:31:54 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Thu, 10 Jan 2019 02:31:54 GMT
x-frame-options: DENY

{
“identifiers”: [
{
“type”: “dns”,
“value”: “grmc-web.grahamrmc.com
}
]
}
2019-01-09 20:31:53,851:DEBUG:acme.client:Sending POST request to

2019-01-09 20:31:53,932:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-order HTTP/1.1” 201 379
2019-01-09 20:31:53,933:DEBUG:acme.client:Received response:
HTTP 201
content-length: 379
expires: Thu, 10 Jan 2019 02:31:54 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
location:
pragma: no-cache
boulder-requester: 49238450
date: Thu, 10 Jan 2019 02:31:54 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce:

{
“status”: “ready”,
“expires”: “2019-01-17T02:31:54.288668501Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “grmc-web.grahamrmc.com
}
],
“authorizations”: [

],
“finalize”:
}
2019-01-09 20:31:53,933:DEBUG:acme.client:Storing nonce: lfwVHiNDWdB3ziCiQG3zG7lb80QyoWAgqenxPPlM0Rk
2019-01-09 20:31:53,934:DEBUG:acme.client:JWS payload:

2019-01-09 20:31:53,939:DEBUG:acme.client:Sending POST request to
{
“protected”: “eyJub25jZSI6ICJsZndWSGlORFdkQjN6aUNpUUczekc3bGI4MFF5b1dBZ3FlbnhQUGxNMFJrIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8yUzJzVElHMzlWVXNKTW81ejR5Q2FQampyQzIzM1NrVGJ4N09HU01FWmJ3IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzQ5MjM4NDUwIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “aRj0ItBCCLmA2AqOh5KxiEsX8KxX3yIbU93-3OJ0_s18aVGy2K7m8aV2p4zvy0HDlZ-V7V8w1wU22go3clupGPyG5g7-Pvc1lU7v3McD3mZ5uXo-buQ1OiF646ur6LcXUc79HYI3LQJmRBhKv9UoQdjc2nuWi_S-wuXVxrTwpBpq-0G294eHTR_3uRpirBMjlEjCJ_Q3PMMzjsyMdFfMsZZC8zSP3q4dNebW59TSf7V3fbI7O7TfsMiWcAPjAQUuo0YIIcoXfRYep_25Hj3gotbnNOGhjQe_vNE5RzSFVJWryiZN8M39jzJFwZGKWhT6Ira6gmdWaaYzeGscapU0Tg”
}
2019-01-09 20:31:54,001:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/authz/2S2sTIG39VUsJMo5z4yCaPjjrC233SkTbx7OGSMEZbw HTTP/1.1” 200 1272
2019-01-09 20:31:54,002:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1272
expires: Thu, 10 Jan 2019 02:31:54 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
boulder-requester: 49238450
date: Thu, 10 Jan 2019 02:31:54 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: E-c

{
“identifier”: {
“type”: “dns”,
“value”: “grmc-web.grahamrmc.com
},
“status”: “valid”,
“expires”: “2019-02-09T02:29:40Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “valid”,
“url”: “”,
“token”: “”,
“validationRecord”: [
{
“url”: “”,
“hostname”: “grmc-web.grahamrmc.com”,
“port”: “80”,
“addressesResolved”: [
“12.5.52.50”
],
“addressUsed”: “12.5.52.50”


#12

It used --webroot -w /var/www/html/


#13

The three names probably don’t use the same webroot.
[if they do then they can be combined into on cert quite easily]

certbot renew -–webroot -w /var/www/html/ -d grahamrmc.com -d www.grahamrmc.com -d grmc-web.grahamrmc.com –installer null

So, they may need their own certs or you will have to specify the root for each domain.
If so, maybe something like can work:

certbot renew \
–webroot -w /root/for/grahamrmc/ -d grahamrmc.com \
–webroot -w /root/for/www/ -d www.grahamrmc.com \
–webroot -w /var/www/html/ -d grmc-web.grahamrmc.com \
–installer null


#14

And to cover all bases…
If they do need their own certs, you can call certbot three times (once for each):

certbot renew –webroot -w /root/for/grahamrmc/ -d grahamrmc.com –installer null
certbot renew –webroot -w /root/for/www/ -d www.grahamrmc.com –installer null
certbot renew –webroot -w /var/www/html/ -d grmc-web.grahamrmc.com –installer null

#15

I can’t get this to work. Maybe it’s because the certificate has to be revoked and create a new certificate…

I got “command not found” when trying to combine them into one cert

Then when I tried to generate their own certs:

certbot: error: unrecognized arguments: -€“webroot €“-webroot €“-webroot -€“installer null

I saw a similar unrecognized arguments post on here where some information was requested:

I am running certbot 0.29.1

Here is what my renewal file under /etc/letsencrypt/renewal shows:

renew_before_expiry = 30 days

version = 0.29.1
archive_dir = /etc/letsencrypt/archive/grmc-web.grahamrmc.com
cert = /etc/letsencrypt/live/grmc-web.grahamrmc.com/cert.pem
privkey = /etc/letsencrypt/live/grmc-web.grahamrmc.com/privkey.pem
chain = /etc/letsencrypt/live/grmc-web.grahamrmc.com/chain.pem
fullchain = /etc/letsencrypt/live/grmc-web.grahamrmc.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
account = ********************************************
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
grmc-web.grahamrmc.com = /var/www/html

My domain is: grahamrmc.com

My web server is (include version): httpd-2.4.6-88.el7.centos.x86_64

The operating system my web server runs on is (include version): CentOS Linux relase 7.6.1810 (Core)

My hosting provider, if applicable, is: N/A its on-the premises

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no


#16

It seems to have merged two dashes into one longer dash…
So, those should have two dashes (not a single long dash).

certbot renew --webroot -w /root/for/grahamrmc/ -d grahamrmc.com --installer null
certbot renew --webroot -w /root/for/www/ -d www.grahamrmc.com --installer null
certbot renew --webroot -w /var/www/html/ -d grmc-web.grahamrmc.com --installer null

#17

2019-02-07 21:03:09,192:DEBUG:certbot.main:certbot version: 0.29.1
2019-02-07 21:03:09,192:DEBUG:certbot.main:Arguments: [’–webroot’, ‘-w’, ‘/var/www/html/’, ‘-d’, ‘fqdn server’, ‘–installer’, ‘null’]
2019-02-07 21:03:09,192:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-07 21:03:09,242:DEBUG:certbot.log:Root logging level set at 20
2019-02-07 21:03:09,242:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-07 21:03:09,244:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.29.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1352, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1259, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 382, in handle_renewal_request
raise errors.Error("Currently, the renew verb is capable of either "
Error: Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.


#18

2019-02-07 21:05:37,131:DEBUG:certbot.main:certbot version: 0.29.1
2019-02-07 21:05:37,131:DEBUG:certbot.main:Arguments: [’–webroot’, ‘-w’, ‘/var/www/’, ‘-d’, ‘www. mydomain . com’, ‘–installer’, ‘null’]
2019-02-07 21:05:37,131:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-07 21:05:37,181:DEBUG:certbot.log:Root logging level set at 20
2019-02-07 21:05:37,181:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-07 21:05:37,182:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.29.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1352, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1259, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 382, in handle_renewal_request
raise errors.Error("Currently, the renew verb is capable of either "
Error: Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.


#19

certbot renew --webroot -w /root/for/grahamrmc/ -d grahamrmc.com --installer null

/root/for/grahamrmc/ does not exist or is not a directory


#20

Please post the latest entries from the log file:
/var/log/letsencrypt/letsencrypt.log