Www.grahamrmc.com


#21

That was not to be used literally.
That was merely representative of your actual root directory.


#22

2019-02-07 21:11:20,812:DEBUG:certbot.main:certbot version: 0.29.1
2019-02-07 21:11:20,812:DEBUG:certbot.main:Arguments: [’–webroot’, ‘-w’, ‘/var/www/html/’, ‘-d’, ‘www.grahamrmc.com’, ‘–installer’, ‘null’]
2019-02-07 21:11:20,812:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-07 21:11:20,861:DEBUG:certbot.log:Root logging level set at 20
2019-02-07 21:11:20,861:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-07 21:11:20,862:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.29.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1352, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1259, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 382, in handle_renewal_request
raise errors.Error("Currently, the renew verb is capable of either "
Error: Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.


#23

Please show the output of:
certbot certificates


#24

Found the following certs:
Certificate Name: grmc-web.grahamrmc.com
Domains: grmc-web.grahamrmc.com
Expiry Date: 2019-04-10 01:31:57+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/grmc-web.grahamrmc.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/grmc-web.grahamrmc.com/privkey.pem



#25

it saved this to a new /var/log/letsencrypt.log

2019-02-07 21:14:14,537:DEBUG:certbot.main:certbot version: 0.29.1
2019-02-07 21:14:14,537:DEBUG:certbot.main:Arguments:
2019-02-07 21:14:14,537:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-07 21:14:14,585:DEBUG:certbot.log:Root logging level set at 20
2019-02-07 21:14:14,585:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-07 21:14:14,749:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/grmc-web.grahamrmc.com/cert.pem
2019-02-07 21:14:14,751:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/grmc-web.grahamrmc.com/chain.pem -cert /etc/letsencrypt/live/grmc-web.grahamrmc.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/grmc-web.grahamrmc.com/chain.pem -verify_other /etc/letsencrypt/live/grmc-web.grahamrmc.com/chain.pem -trust_other -header Host ocsp.int-x3.letsencrypt.org


#26

OK. This one is good for 60 days.

Let’s see about getting the other two certs.

Start with finding their actual document roots.
Please show the output of:
grep -Eri 'ServerName|ServerAlias|Listen|DocumentRoot' /etc/apache2


#27

Ok I had to change /etc/apache2 to /etc/httpd

Looks like I need to define ip address and servername in the httpd config file

grep -Eri ‘ServerName|ServerAlias|Listen|DocumentRoot’ /etc/httpd
/etc/httpd/conf/httpd.conf:# Listen: Allows you to bind Apache to specific IP addresses and/or
/etc/httpd/conf/httpd.conf:# Change this to Listen on specific IP addresses as shown below to
/etc/httpd/conf/httpd.conf:#Listen 12.34.56.78:80
/etc/httpd/conf/httpd.conf:Listen 80
/etc/httpd/conf/httpd.conf:#ServerName gives the name and port that the server uses to identify itself.
/etc/httpd/conf/httpd.conf:#ServerName www.example.com:80
/etc/httpd/conf/httpd.conf:# DocumentRoot: The directory out of which you will serve your
/etc/httpd/conf/httpd.conf:DocumentRoot “/var/www/html”
/etc/httpd/conf/httpd.conf: # access content that does not live under the DocumentRoot.
/etc/httpd/conf.d/ssl.conf:# When we also provide SSL we have to listen to the
/etc/httpd/conf.d/ssl.conf:Listen 443 https
/etc/httpd/conf.d/ssl.conf:DocumentRoot “/var/www/html”
/etc/httpd/conf.d/ssl.conf:ServerName grmc-web.grahamrmc.com:443


#28

Looks like you have no virtualhost for the other two names:
grahamrmc.com
www.grahamrmc.com

Create them first.
Or add them to the existing config [as ServerAlias(es)].
Then test that they are accessible from the Internet:
http://grahamrmc.com
http://www.grahamrmc.com

Let me know when that is working…


#29

would you like to see the virtualhost settings in my /etc/httpd/conf.d/ssl.conf?


#30

The SSL conf in not the problem now.
The regular HTTP conf is the problem.
It lacks the two additional names you are trying to get.


#31

In case I’m not online when you get that going…

And presuming that both new names will be serving the same content from the same vhost config.
You can use this to generate a new cert with both names on it:

certbot certonly --webroot -w /WHATEVER/ROOT/YOU/USED/ -d grahamrmc.com -d www.grahamrmc.com --installer null

You can always check with:
certbot certificates
[to see what names are covered, where their cert files are, and when each cert expires]


#32

So I should just create 2 vhost.conf files and change the port from 80 to 443 and put them under /etc/httpd?

VirtualHost *:80>
DocumentRoot /var/www/html
ServerName www.grahamrmc.com
/VirtualHost

VirtualHost *:80>
DocumentRoot /var/www/html
ServerName grahamrmc.com
/VirtualHost


#33

That should work…
But you can combine them as:

<VirtualHost *:80>
DocumentRoot /var/www/html
ServerName grahamrmc.com
ServerAlias www.grahamrmc.com
</VirtualHost>

#34

I created a vhost.conf file and put this in it.

<VirtualHost :80>
DocumentRoot /var/www/html
ServerName www.grahamrmc.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.
)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

<VirtualHost :80>
DocumentRoot /var/www/html
ServerName grahamrmc.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.
)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

I ran the command "certbox certonly --webroot -w /var/www/html/ -d grahamrmc.com -d www.grahamrmc.com --installer null

Looks like that worked!


#35

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: grmc-web.grahamrmc.com
Domains: grmc-web.grahamrmc.com
Expiry Date: 2019-04-10 01:31:57+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/grmc-web.grahamrmc.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/grmc-web.grahamrmc.com/privkey.pem
Certificate Name: grahamrmc.com
Domains: grahamrmc.com www.grahamrmc.com
Expiry Date: 2019-05-09 03:33:13+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/grahamrmc.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/grahamrmc.com/privkey.pem


I may have to do something else like make a ssl.conf file for those 2 virtual host files…


#36

Congratulations!


#37

Well yes.
Now you can use the new cert somewhere.

The main point to having separate vhost configs is being able to point to different document roots.
The main reason for having different document roots is to serve different content/sites.
[independently from each other document root]

So if they all provide the same content, then they can use the same document root, and also the same vhost config.
If they provide different content, then they can’t use the same document root, nor the same vhost config.
Typically each document root/ vhost config gets its’ own cert.
[this can simplify things]

Site = “X”
DocumentRoot = “X”
VhostConfig = “X”
Cert = “X”

Site = “Y”
DocumentRoot = “Y”
VhostConfig = “Y”
Cert = “Y”


#38

Hopefully I did it right by putting

SSLCertificateFile /etc/letsencrypt/live/grahamrmc.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/grahamrmc.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/grahamrmc.com/fullchain.pem

under each virtualhost *80 defination

So thats where you want to put any rewrite rules? I had that in a .htaccess file which seemed to cause problems with some of my website vistors.


#39

The *:80 is NOT where the SSLCert lines go.
Certs go with the *:443

The rewrite rules do go in the *:80
Because they tell the (http) :80 visitor to go to the (https) :443 site.


#40

Gotchya

I copied that vhost file and pasted it as sslvhost

I removed the SSLCert lines from the vhost file
Left the rewrite rules from 80 to 443.

Then on the sslvhost file I changed the port from 80 to 443
removed the redir rules and keel the SSLCert lines there.