You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ri...@hushmail.com on 2016/06/14 19:08:39 UTC
[users@httpd] LetsEncrypt.org with Virtual Hosting
For some time, I have been hosting about 10 sites unencrypted. But since people other than just myself will be using my squirrelmail, I decided to encrypt my server. I had delayed it simply because keys are too expensive to buy, but now I learned about LetsEncrypt.org and have been working in that direction.
So far, I moved two websites over to this server, example.com and example.info. My first test of the LetsEncrypt software was of the form of:
# letsencrypt-auto -apache -d example.com
but I ran into a caveat with www.example.com not being accepted. I decided to re-run with the other domain included as well, so I did the remaining three combinations:
#letsencrypt-auto -apache -d www.example.com -d example.info -d www.example.info
The conf files for the sites are fairly straight-forward in my mind. There are four of them:
#/etc/apache2/sites-available/80-example.com
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/example.com/public_html/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName example.com
ServerAlias www.example.com
</VirtualHost>
</IfModule>
#/etc/apache2/sites-available/443-example.com
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@example.com
DocumentRoot /var/www/example.com/public_html/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName example.com
ServerAlias www.example.com
</VirtualHost>
</IfModule>
#/etc/apache2/sites-available/80-example.info
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/example.info/public_html/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName example.info
ServerAlias www.example.info
</VirtualHost>
</IfModule>
#/etc/apache2/sites-available/443-example.info
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@example.info
DocumentRoot /var/www/example.info/public_html/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName example.info
ServerAlias www.example.info
</VirtualHost>
Notice that SSLCertificateFile and SSLCertificateKeyFile are the same for both of the domains, because they use the same key of example.com. The website, example.com works perfectly fine. But example.info has serious problems (On the order of NET::ERR_CERT_COMMON_NAME_INVALID). Who has an idea on how to fix this? I can't experiment too much because I'm limited to 5 keys per week so learning this myself is a very slow-track process.
There are a number of HOWTO documents out there, but there is very wide variance in their steps that I have little confidence in them, but have chosen one and decided to try at it. Once I get this established, I promise to write a blog article explaining the procedure a little bit better
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LetsEncrypt.org with Virtual Hosting
Posted by ri...@hushmail.com.
Thanks for the tip. I never knew about this feature (openssl, encryption in general is new to me). At the bottom of this reply is the first, and most interesting part of the standard out. Yes, it does return the cert for example.com, but I thought that example.info was included with that in it's creation when I issued the command:
lentencrypt-auto --apache -d example.com
letsencrypt-auto --apache -d www.example.com -d example.info -d www.example.info
I would have combined them into a single command and tried that, but I didn't want to lose on of the 5 precious keys per week. Is the above not an acceptable method for creating a key for multiple sites.
Output is below:
~$ openssl s_client -connect example.info:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
On 6/14/2016 at 9:15 PM, "Filipe Cifali" <ci...@gmail.com> wrote:
>
>Your are probably hitting the wrong cert file, check with:
>
>openssl s_client -connect example.info:443
>
>You can also try to disable the first SSL and check if you hit the
>right
>one after.
>
>On Tue, Jun 14, 2016 at 4:08 PM, <ri...@hushmail.com> wrote:
>
>> For some time, I have been hosting about 10 sites unencrypted.
>But since
>> people other than just myself will be using my squirrelmail, I
>decided to
>> encrypt my server. I had delayed it simply because keys are too
>expensive
>> to buy, but now I learned about LetsEncrypt.org and have been
>working in
>> that direction.
>>
>> So far, I moved two websites over to this server, example.com and
>> example.info. My first test of the LetsEncrypt software was of
>the form
>> of:
>>
>> # letsencrypt-auto -apache -d example.com
>>
>> but I ran into a caveat with www.example.com not being accepted.
> I
>> decided to re-run with the other domain included as well, so I
>did the
>> remaining three combinations:
>>
>> #letsencrypt-auto -apache -d www.example.com -d example.info -d
>> www.example.info
>>
>> The conf files for the sites are fairly straight-forward in my
>mind.
>> There are four of them:
>>
>> #/etc/apache2/sites-available/80-example.com
>> <IfModule mod_ssl.c>
>> <VirtualHost *:80>
>> ServerAdmin webmaster@localhost
>> DocumentRoot /var/www/example.com/public_html/
>> ErrorLog ${APACHE_LOG_DIR}/error.log
>> CustomLog ${APACHE_LOG_DIR}/access.log combined
>> ServerName example.com
>> ServerAlias www.example.com
>> </VirtualHost>
>> </IfModule>
>>
>> #/etc/apache2/sites-available/443-example.com
>> <IfModule mod_ssl.c>
>> <VirtualHost *:443>
>> ServerAdmin webmaster@example.com
>> DocumentRoot /var/www/example.com/public_html/
>> ErrorLog ${APACHE_LOG_DIR}/error.log
>> CustomLog ${APACHE_LOG_DIR}/access.log combined
>> SSLCertificateFile
>/etc/letsencrypt/live/example.com/fullchain.pem
>> SSLCertificateKeyFile
>/etc/letsencrypt/live/example.com/privkey.pem
>> Include /etc/letsencrypt/options-ssl-apache.conf
>> ServerName example.com
>> ServerAlias www.example.com
>> </VirtualHost>
>> </IfModule>
>>
>> #/etc/apache2/sites-available/80-example.info
>> <IfModule mod_ssl.c>
>> <VirtualHost *:80>
>> ServerAdmin webmaster@localhost
>> DocumentRoot /var/www/example.info/public_html/
>> ErrorLog ${APACHE_LOG_DIR}/error.log
>> CustomLog ${APACHE_LOG_DIR}/access.log combined
>> ServerName example.info
>> ServerAlias www.example.info
>> </VirtualHost>
>> </IfModule>
>>
>> #/etc/apache2/sites-available/443-example.info
>> <IfModule mod_ssl.c>
>> <VirtualHost *:443>
>> ServerAdmin webmaster@example.info
>> DocumentRoot /var/www/example.info/public_html/
>> ErrorLog ${APACHE_LOG_DIR}/error.log
>> CustomLog ${APACHE_LOG_DIR}/access.log combined
>> SSLCertificateFile
>/etc/letsencrypt/live/example.com/fullchain.pem
>> SSLCertificateKeyFile
>/etc/letsencrypt/live/example.com/privkey.pem
>> Include /etc/letsencrypt/options-ssl-apache.conf
>> ServerName example.info
>> ServerAlias www.example.info
>> </VirtualHost>
>>
>> Notice that SSLCertificateFile and SSLCertificateKeyFile are the
>same for
>> both of the domains, because they use the same key of
>example.com. The
>> website, example.com works perfectly fine. But example.info has
>serious
>> problems (On the order of NET::ERR_CERT_COMMON_NAME_INVALID).
>Who has an
>> idea on how to fix this? I can't experiment too much because
>I'm limited
>> to 5 keys per week so learning this myself is a very slow-track
>process.
>>
>> There are a number of HOWTO documents out there, but there is
>very wide
>> variance in their steps that I have little confidence in them,
>but have
>> chosen one and decided to try at it. Once I get this
>established, I
>> promise to write a blog article explaining the procedure a
>little bit better
>>
>>
>> -----------------------------------------------------------------
>----
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
>--
>[ ]'s
>
>Filipe Cifali Stangler
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LetsEncrypt.org with Virtual Hosting
Posted by ri...@hushmail.com.
On 6/14/2016 at 9:42 PM, "Mathijs Schmittmann" <in...@mathijs.info> wrote:
>
>Hi Filipe,
>>
>> > Notice that SSLCertificateFile and SSLCertificateKeyFile are
>the
>> > same for both of the domains, because they use the same key of
>> > example.com <http://example.com>. The website, example.com
>> > <http://example.com> works perfectly fine. But example.info
>> > <http://example.info> has serious problems (On the order of
>> > NET::ERR_CERT_COMMON_NAME_INVALID). Who has an idea on how to
>fix
>> > this? I can't experiment too much because I'm limited to 5
>keys
>> > per week so learning this myself is a very slow-track process.
>You might find this interesting:
>https://community.letsencrypt.org/t/testing-against-the-lets-
>encrypt-staging-environment/6763
>
>Letsencrypt provides a staging environment with much more lenient
>ratelimiting, but of course not signed with the official
>intermediate
>certificate.
>
I know it exists in theory, but have no clue on how to implement that. Doing this on my own machine is hard enough, then I have to undo the changes from the staging environment or have my present setup hosed, or insecure without my knowledge. I don't have the time to reinstall linux because of a botched config file somewhere. Encryption/security protocols are an obfuscated can of worms that can get ugly very quickly.
>Br,
>Mathijs
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LetsEncrypt.org with Virtual Hosting
Posted by Mathijs Schmittmann <in...@mathijs.info>.
Hi Filipe,
>
> > Notice that SSLCertificateFile and SSLCertificateKeyFile are the
> > same for both of the domains, because they use the same key of
> > example.com <http://example.com>. The website, example.com
> > <http://example.com> works perfectly fine. But example.info
> > <http://example.info> has serious problems (On the order of
> > NET::ERR_CERT_COMMON_NAME_INVALID). Who has an idea on how to fix
> > this? I can't experiment too much because I'm limited to 5 keys
> > per week so learning this myself is a very slow-track process.
You might find this interesting:
https://community.letsencrypt.org/t/testing-against-the-lets-encrypt-staging-environment/6763
Letsencrypt provides a staging environment with much more lenient
ratelimiting, but of course not signed with the official intermediate
certificate.
Br,
Mathijs
Re: [users@httpd] LetsEncrypt.org with Virtual Hosting
Posted by ri...@hushmail.com.
On 6/14/2016 at 9:39 PM, "Christopher Schultz" <ch...@christopherschultz.net> wrote:
>
>Filipe,
>
>On 6/14/16 3:15 PM, Filipe Cifali wrote:
>> Your are probably hitting the wrong cert file, check with:
>>
>> |openssl s_client -connect example.info:443
>> <http://example.info:443>|
>>
>> You can also try to disable the first SSL and check if you hit
>the
>> right one after.
>
>You may have to do this:
>
>$ openssl s_client -connect ip_addr:443 -servername 'example.info'
>
>This will allow you to connect to a local test machine and still
>tell
>the server that you are trying to connect to example.info.
I did this and had nearly identical results, sparing for the later parts that are specific for that session.
>
>Rich,
>
>Why are you using example.info instead of your actual domain name?
>
Because the TLD of one site ends in .info as it is domain1.info and the other one is domain2.info. I do not want a domain name of mine to exist in a world-readable forum for security reasons. I'm not a world class expert in security and am not prepared to deal with that right now. That's one of the reasons why example.TLD exists in the first place.
>-chris
>
>> On Tue, Jun 14, 2016 at 4:08 PM, <rich.greder@hushmail.com
>> <ma...@hushmail.com>> wrote:
>>
>> For some time, I have been hosting about 10 sites unencrypted.
>> But since people other than just myself will be using my
>> squirrelmail, I decided to encrypt my server. I had delayed it
>> simply because keys are too expensive to buy, but now I learned
>> about LetsEncrypt.org and have been working in that direction.
>>
>> So far, I moved two websites over to this server, example.com
>> <http://example.com> and example.info <http://example.info>. My
>> first test of the LetsEncrypt software was of the form of:
>>
>> # letsencrypt-auto -apache -d example.com <http://example.com>
>>
>> but I ran into a caveat with www.example.com
>> <http://www.example.com> not being accepted. I decided to re-
>run
>> with the other domain included as well, so I did the remaining
>> three combinations:
>>
>> #letsencrypt-auto -apache -d www.example.com
>> <http://www.example.com> -d example.info <http://example.info> -
>d
>> www.example.info <http://www.example.info>
>>
>> The conf files for the sites are fairly straight-forward in my
>> mind. There are four of them:
>>
>> #/etc/apache2/sites-available/80-example.com
>> <http://80-example.com> <IfModule mod_ssl.c> <VirtualHost *:80>
>> ServerAdmin webmaster@localhost DocumentRoot
>> /var/www/example.com/public_html/
>> <http://example.com/public_html/> ErrorLog
>> ${APACHE_LOG_DIR}/error.log CustomLog
>${APACHE_LOG_DIR}/access.log
>> combined ServerName example.com <http://example.com> ServerAlias
>> www.example.com <http://www.example.com> </VirtualHost>
>> </IfModule>
>>
>> #/etc/apache2/sites-available/443-example.com
>> <http://443-example.com> <IfModule mod_ssl.c> <VirtualHost
>*:443>
>> ServerAdmin webmaster@example.com <ma...@example.com>
>> DocumentRoot /var/www/example.com/public_html/
>> <http://example.com/public_html/> ErrorLog
>> ${APACHE_LOG_DIR}/error.log CustomLog
>${APACHE_LOG_DIR}/access.log
>> combined SSLCertificateFile
>> /etc/letsencrypt/live/example.com/fullchain.pem
>> <http://example.com/fullchain.pem> SSLCertificateKeyFile
>> /etc/letsencrypt/live/example.com/privkey.pem
>> <http://example.com/privkey.pem> Include
>> /etc/letsencrypt/options-ssl-apache.conf ServerName example.com
>> <http://example.com> ServerAlias www.example.com
>> <http://www.example.com> </VirtualHost> </IfModule>
>>
>> #/etc/apache2/sites-available/80-example.info
>> <http://80-example.info> <IfModule mod_ssl.c> <VirtualHost *:80>
>> ServerAdmin webmaster@localhost DocumentRoot
>> /var/www/example.info/public_html/
>> <http://example.info/public_html/> ErrorLog
>> ${APACHE_LOG_DIR}/error.log CustomLog
>${APACHE_LOG_DIR}/access.log
>> combined ServerName example.info <http://example.info>
>ServerAlias
>> www.example.info <http://www.example.info> </VirtualHost>
>> </IfModule>
>>
>> #/etc/apache2/sites-available/443-example.info
>> <http://443-example.info> <IfModule mod_ssl.c> <VirtualHost
>*:443>
>> ServerAdmin webmaster@example.info
><ma...@example.info>
>> DocumentRoot /var/www/example.info/public_html/
>> <http://example.info/public_html/> ErrorLog
>> ${APACHE_LOG_DIR}/error.log CustomLog
>${APACHE_LOG_DIR}/access.log
>> combined SSLCertificateFile
>> /etc/letsencrypt/live/example.com/fullchain.pem
>> <http://example.com/fullchain.pem> SSLCertificateKeyFile
>> /etc/letsencrypt/live/example.com/privkey.pem
>> <http://example.com/privkey.pem> Include
>> /etc/letsencrypt/options-ssl-apache.conf ServerName example.info
>> <http://example.info> ServerAlias www.example.info
>> <http://www.example.info> </VirtualHost>
>>
>> Notice that SSLCertificateFile and SSLCertificateKeyFile are the
>> same for both of the domains, because they use the same key of
>> example.com <http://example.com>. The website, example.com
>> <http://example.com> works perfectly fine. But example.info
>> <http://example.info> has serious problems (On the order of
>> NET::ERR_CERT_COMMON_NAME_INVALID). Who has an idea on how to
>fix
>> this? I can't experiment too much because I'm limited to 5 keys
>> per week so learning this myself is a very slow-track process.
>>
>> There are a number of HOWTO documents out there, but there is
>very
>> wide variance in their steps that I have little confidence in
>> them, but have chosen one and decided to try at it. Once I get
>> this established, I promise to write a blog article explaining
>the
>> procedure a little bit better
>>
>>
>> -----------------------------------------------------------------
>----
>>
>>
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> <ma...@httpd.apache.org> For additional
>> commands, e-mail: users-help@httpd.apache.org
>> <ma...@httpd.apache.org>
>>
>>
>>
>>
>> -- [ ]'s
>>
>> Filipe Cifali Stangler
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LetsEncrypt.org with Virtual Hosting
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Filipe,
On 6/14/16 3:15 PM, Filipe Cifali wrote:
> Your are probably hitting the wrong cert file, check with:
>
> |openssl s_client -connect example.info:443
> <http://example.info:443>|
>
> You can also try to disable the first SSL and check if you hit the
> right one after.
You may have to do this:
$ openssl s_client -connect ip_addr:443 -servername 'example.info'
This will allow you to connect to a local test machine and still tell
the server that you are trying to connect to example.info.
Rich,
Why are you using example.info instead of your actual domain name?
- -chris
> On Tue, Jun 14, 2016 at 4:08 PM, <rich.greder@hushmail.com
> <ma...@hushmail.com>> wrote:
>
> For some time, I have been hosting about 10 sites unencrypted.
> But since people other than just myself will be using my
> squirrelmail, I decided to encrypt my server. I had delayed it
> simply because keys are too expensive to buy, but now I learned
> about LetsEncrypt.org and have been working in that direction.
>
> So far, I moved two websites over to this server, example.com
> <http://example.com> and example.info <http://example.info>. My
> first test of the LetsEncrypt software was of the form of:
>
> # letsencrypt-auto -apache -d example.com <http://example.com>
>
> but I ran into a caveat with www.example.com
> <http://www.example.com> not being accepted. I decided to re-run
> with the other domain included as well, so I did the remaining
> three combinations:
>
> #letsencrypt-auto -apache -d www.example.com
> <http://www.example.com> -d example.info <http://example.info> -d
> www.example.info <http://www.example.info>
>
> The conf files for the sites are fairly straight-forward in my
> mind. There are four of them:
>
> #/etc/apache2/sites-available/80-example.com
> <http://80-example.com> <IfModule mod_ssl.c> <VirtualHost *:80>
> ServerAdmin webmaster@localhost DocumentRoot
> /var/www/example.com/public_html/
> <http://example.com/public_html/> ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined ServerName example.com <http://example.com> ServerAlias
> www.example.com <http://www.example.com> </VirtualHost>
> </IfModule>
>
> #/etc/apache2/sites-available/443-example.com
> <http://443-example.com> <IfModule mod_ssl.c> <VirtualHost *:443>
> ServerAdmin webmaster@example.com <ma...@example.com>
> DocumentRoot /var/www/example.com/public_html/
> <http://example.com/public_html/> ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined SSLCertificateFile
> /etc/letsencrypt/live/example.com/fullchain.pem
> <http://example.com/fullchain.pem> SSLCertificateKeyFile
> /etc/letsencrypt/live/example.com/privkey.pem
> <http://example.com/privkey.pem> Include
> /etc/letsencrypt/options-ssl-apache.conf ServerName example.com
> <http://example.com> ServerAlias www.example.com
> <http://www.example.com> </VirtualHost> </IfModule>
>
> #/etc/apache2/sites-available/80-example.info
> <http://80-example.info> <IfModule mod_ssl.c> <VirtualHost *:80>
> ServerAdmin webmaster@localhost DocumentRoot
> /var/www/example.info/public_html/
> <http://example.info/public_html/> ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined ServerName example.info <http://example.info> ServerAlias
> www.example.info <http://www.example.info> </VirtualHost>
> </IfModule>
>
> #/etc/apache2/sites-available/443-example.info
> <http://443-example.info> <IfModule mod_ssl.c> <VirtualHost *:443>
> ServerAdmin webmaster@example.info <ma...@example.info>
> DocumentRoot /var/www/example.info/public_html/
> <http://example.info/public_html/> ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined SSLCertificateFile
> /etc/letsencrypt/live/example.com/fullchain.pem
> <http://example.com/fullchain.pem> SSLCertificateKeyFile
> /etc/letsencrypt/live/example.com/privkey.pem
> <http://example.com/privkey.pem> Include
> /etc/letsencrypt/options-ssl-apache.conf ServerName example.info
> <http://example.info> ServerAlias www.example.info
> <http://www.example.info> </VirtualHost>
>
> Notice that SSLCertificateFile and SSLCertificateKeyFile are the
> same for both of the domains, because they use the same key of
> example.com <http://example.com>. The website, example.com
> <http://example.com> works perfectly fine. But example.info
> <http://example.info> has serious problems (On the order of
> NET::ERR_CERT_COMMON_NAME_INVALID). Who has an idea on how to fix
> this? I can't experiment too much because I'm limited to 5 keys
> per week so learning this myself is a very slow-track process.
>
> There are a number of HOWTO documents out there, but there is very
> wide variance in their steps that I have little confidence in
> them, but have chosen one and decided to try at it. Once I get
> this established, I promise to write a blog article explaining the
> procedure a little bit better
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org> For additional
> commands, e-mail: users-help@httpd.apache.org
> <ma...@httpd.apache.org>
>
>
>
>
> -- [ ]'s
>
> Filipe Cifali Stangler
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAldgXS8ACgkQ9CaO5/Lv0PD/DwCgjrlhkWnRd0VUHCYCKAbuShCt
aH0AoMNTdBW/iXA5uLnvU0pBGBJ+XE6J
=rxov
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LetsEncrypt.org with Virtual Hosting
Posted by Filipe Cifali <ci...@gmail.com>.
Your are probably hitting the wrong cert file, check with:
openssl s_client -connect example.info:443
You can also try to disable the first SSL and check if you hit the right
one after.
On Tue, Jun 14, 2016 at 4:08 PM, <ri...@hushmail.com> wrote:
> For some time, I have been hosting about 10 sites unencrypted. But since
> people other than just myself will be using my squirrelmail, I decided to
> encrypt my server. I had delayed it simply because keys are too expensive
> to buy, but now I learned about LetsEncrypt.org and have been working in
> that direction.
>
> So far, I moved two websites over to this server, example.com and
> example.info. My first test of the LetsEncrypt software was of the form
> of:
>
> # letsencrypt-auto -apache -d example.com
>
> but I ran into a caveat with www.example.com not being accepted. I
> decided to re-run with the other domain included as well, so I did the
> remaining three combinations:
>
> #letsencrypt-auto -apache -d www.example.com -d example.info -d
> www.example.info
>
> The conf files for the sites are fairly straight-forward in my mind.
> There are four of them:
>
> #/etc/apache2/sites-available/80-example.com
> <IfModule mod_ssl.c>
> <VirtualHost *:80>
> ServerAdmin webmaster@localhost
> DocumentRoot /var/www/example.com/public_html/
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> ServerName example.com
> ServerAlias www.example.com
> </VirtualHost>
> </IfModule>
>
> #/etc/apache2/sites-available/443-example.com
> <IfModule mod_ssl.c>
> <VirtualHost *:443>
> ServerAdmin webmaster@example.com
> DocumentRoot /var/www/example.com/public_html/
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
> Include /etc/letsencrypt/options-ssl-apache.conf
> ServerName example.com
> ServerAlias www.example.com
> </VirtualHost>
> </IfModule>
>
> #/etc/apache2/sites-available/80-example.info
> <IfModule mod_ssl.c>
> <VirtualHost *:80>
> ServerAdmin webmaster@localhost
> DocumentRoot /var/www/example.info/public_html/
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> ServerName example.info
> ServerAlias www.example.info
> </VirtualHost>
> </IfModule>
>
> #/etc/apache2/sites-available/443-example.info
> <IfModule mod_ssl.c>
> <VirtualHost *:443>
> ServerAdmin webmaster@example.info
> DocumentRoot /var/www/example.info/public_html/
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
> Include /etc/letsencrypt/options-ssl-apache.conf
> ServerName example.info
> ServerAlias www.example.info
> </VirtualHost>
>
> Notice that SSLCertificateFile and SSLCertificateKeyFile are the same for
> both of the domains, because they use the same key of example.com. The
> website, example.com works perfectly fine. But example.info has serious
> problems (On the order of NET::ERR_CERT_COMMON_NAME_INVALID). Who has an
> idea on how to fix this? I can't experiment too much because I'm limited
> to 5 keys per week so learning this myself is a very slow-track process.
>
> There are a number of HOWTO documents out there, but there is very wide
> variance in their steps that I have little confidence in them, but have
> chosen one and decided to try at it. Once I get this established, I
> promise to write a blog article explaining the procedure a little bit better
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
[ ]'s
Filipe Cifali Stangler