Re: LetsEncrypt.org with Virtual Hosting

Christopher Schultz <chris@xxxxxxxxxxxxxxxxxxxxxx> · Tue, 14 Jun 2016 15:38:23 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Filipe,

On 6/14/16 3:15 PM, Filipe Cifali wrote:
> Your are probably hitting the wrong cert file, check with:
> 
> |openssl s_client -connect example.info:443
> <http://example.info:443>|
> 
> You can also try to disable the first SSL and check if you hit the
> right one after.

You may have to do this:

$ openssl s_client -connect ip_addr:443 -servername 'example.info'

This will allow you to connect to a local test machine and still tell
the server that you are trying to connect to example.info.

Rich,

Why are you using example.info instead of your actual domain name?

- -chris

> On Tue, Jun 14, 2016 at 4:08 PM, <rich.greder@xxxxxxxxxxxx 
> <mailto:rich.greder@xxxxxxxxxxxx>> wrote:
> 
> For some time, I have been hosting about 10 sites unencrypted.
> But since people other than just myself will be using my
> squirrelmail, I decided to encrypt my server.  I had delayed it
> simply because keys are too expensive to buy, but now I learned
> about LetsEncrypt.org and have been working in that direction.
> 
> So far, I moved two websites over to this server, example.com 
> <http://example.com> and example.info <http://example.info>.  My 
> first test of the LetsEncrypt software was of the form of:
> 
> # letsencrypt-auto -apache -d example.com <http://example.com>
> 
> but I ran into a caveat with www.example.com 
> <http://www.example.com> not being accepted.  I decided to re-run 
> with the other domain included as well, so I did the remaining
> three combinations:
> 
> #letsencrypt-auto -apache -d www.example.com 
> <http://www.example.com> -d example.info <http://example.info> -d 
> www.example.info <http://www.example.info>
> 
> The conf files for the sites are fairly straight-forward in my 
> mind.  There are four of them:
> 
> #/etc/apache2/sites-available/80-example.com
> <http://80-example.com> <IfModule mod_ssl.c> <VirtualHost *:80> 
> ServerAdmin webmaster@localhost DocumentRoot
> /var/www/example.com/public_html/ 
> <http://example.com/public_html/> ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined ServerName example.com <http://example.com> ServerAlias
> www.example.com <http://www.example.com> </VirtualHost> 
> </IfModule>
> 
> #/etc/apache2/sites-available/443-example.com
> <http://443-example.com> <IfModule mod_ssl.c> <VirtualHost *:443> 
> ServerAdmin webmaster@xxxxxxxxxxx <mailto:webmaster@xxxxxxxxxxx> 
> DocumentRoot /var/www/example.com/public_html/ 
> <http://example.com/public_html/> ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined SSLCertificateFile
> /etc/letsencrypt/live/example.com/fullchain.pem 
> <http://example.com/fullchain.pem> SSLCertificateKeyFile
> /etc/letsencrypt/live/example.com/privkey.pem 
> <http://example.com/privkey.pem> Include
> /etc/letsencrypt/options-ssl-apache.conf ServerName example.com
> <http://example.com> ServerAlias www.example.com
> <http://www.example.com> </VirtualHost> </IfModule>
> 
> #/etc/apache2/sites-available/80-example.info
> <http://80-example.info> <IfModule mod_ssl.c> <VirtualHost *:80> 
> ServerAdmin webmaster@localhost DocumentRoot
> /var/www/example.info/public_html/ 
> <http://example.info/public_html/> ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined ServerName example.info <http://example.info> ServerAlias
> www.example.info <http://www.example.info> </VirtualHost> 
> </IfModule>
> 
> #/etc/apache2/sites-available/443-example.info
> <http://443-example.info> <IfModule mod_ssl.c> <VirtualHost *:443> 
> ServerAdmin webmaster@xxxxxxxxxxxx <mailto:webmaster@xxxxxxxxxxxx> 
> DocumentRoot /var/www/example.info/public_html/ 
> <http://example.info/public_html/> ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined SSLCertificateFile
> /etc/letsencrypt/live/example.com/fullchain.pem 
> <http://example.com/fullchain.pem> SSLCertificateKeyFile
> /etc/letsencrypt/live/example.com/privkey.pem 
> <http://example.com/privkey.pem> Include
> /etc/letsencrypt/options-ssl-apache.conf ServerName example.info
> <http://example.info> ServerAlias www.example.info
> <http://www.example.info> </VirtualHost>
> 
> Notice that SSLCertificateFile and SSLCertificateKeyFile are the 
> same for both of the domains, because they use the same key of 
> example.com <http://example.com>.  The website, example.com 
> <http://example.com> works perfectly fine.  But example.info 
> <http://example.info> has serious problems (On the order of 
> NET::ERR_CERT_COMMON_NAME_INVALID).  Who has an idea on how to fix 
> this?  I can't experiment too much because I'm limited to 5 keys
> per week so learning this myself is a very slow-track process.
> 
> There are a number of HOWTO documents out there, but there is very 
> wide variance in their steps that I have little confidence in
> them, but have chosen one and decided to try at it.  Once I get
> this established, I promise to write a blog article explaining the 
> procedure a little bit better
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx> For additional
> commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
> <mailto:users-help@xxxxxxxxxxxxxxxx>
> 
> 
> 
> 
> -- [ ]'s
> 
> Filipe Cifali Stangler
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldgXS8ACgkQ9CaO5/Lv0PD/DwCgjrlhkWnRd0VUHCYCKAbuShCt
aH0AoMNTdBW/iXA5uLnvU0pBGBJ+XE6J
=rxov
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx