2

I am trying to set up a wildcard certificate using Let's Encrypt on an Ubuntu 18.04 server running apache2, for domain abc.def.com (not the real domain name) and all subdomains (*.abc.def.com)

I have succeeded in generating the certificate manually using the following command:

certbot certonly --manual -d abc.def.com -d *.abc.def.com

I followed the directions, created a TXT record for the abc.def.com domain, etc. and received confirmation that the certificate was successfully created and saved in /etc/letsencrypt/live/

I modified the site's /etc/apache2/sites-enabled/001-abcsite-le-ssl.conf to ensure it referenced the new certificates in /etc/letsencrypt/live as follows:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName abc.def.com

        ServerAdmin webmaster@def.com
        DocumentRoot /var/www/abc

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/abc.def.net-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/abc.def.net-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

I restarted apache2 and confirmed no errors reported.

service apache2 restart

Now, when I attempt to access https://abc.def.com I get a SSL_ERROR_BAD_CERT_DOMAIN error, stating "This certificate is only valid for *.abc.def.com"

I don't understand why, since I included options for both abc.def.com and *.abc.def.com in the certbot request.

I then tried including the non-wildcard certificate I had previously generated, which only applies to abc.def.com, as another set of SSLCertificateFile and SSLCertificateKeyFile directives in the VirtualHost config file, but it doesn't make any difference.

What am I doing wrong?

UPDATE: I was able to force it to work using both certificates by setting up two VirtualHost sections as follows. But there must be something wrong with the wildcard cert if it doesn't cover the root name also, right?

<VirtualHost *:443>
    ServerName abc.def.com
    ServerAdmin webmaster@def.com
    DocumentRoot /var/www/abc
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLCertificateFile /etc/letsencrypt/live/abc.def.net/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/abc.def.net/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

<VirtualHost *:443>
    ServerName localhost.abc.def.com
    ServerAlias *.abc.def.com
    ServerAdmin webmaster@def.com
    DocumentRoot /var/www/abc
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLCertificateFile /etc/letsencrypt/live/abc.def.net-0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/abc.def.net-0001/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
Ryan Griggs
  • 963
  • 2
  • 14
  • 29

1 Answers1

3

That doesn't look like the correct way to use -d: it should be -d abc.def.com,*.abc.def.com

Mark Wagner
  • 18,019
  • 2
  • 32
  • 47
  • certbot supports multiple -d arguments. See https://certbot.eff.org/lets-encrypt/ubuntubionic-apache. Attempting to renew the cert using a single -d argument yielded a message that the exact same certificate was already present. – Ryan Griggs Jan 19 '19 at 01:42