Home / server / Questions / 949816
In Process
Ryan Griggs
Asked: 2019-01-19 15:46:03 +0800 CST

Let's Encrypt wildcard certificates and Apache 2 not working

  • 772

I am trying to set up a wildcard certificate using Let's Encrypt on an Ubuntu 18.04 server running apache2, for domain abc.def.com (not the real domain name) and all subdomains (*.abc.def.com)

I have succeeded in generating the certificate manually using the following command:

certbot certonly --manual -d abc.def.com -d *.abc.def.com

I followed the directions, created a TXT record for the abc.def.com domain, etc. and received confirmation that the certificate was successfully created and saved in /etc/letsencrypt/live/

I modified the site's /etc/apache2/sites-enabled/001-abcsite-le-ssl.conf to ensure it referenced the new certificates in /etc/letsencrypt/live as follows:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName abc.def.com

        ServerAdmin [email protected]
        DocumentRoot /var/www/abc

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/abc.def.net-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/abc.def.net-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

I restarted apache2 and confirmed no errors reported.

service apache2 restart

Now, when I attempt to access https://abc.def.com I get a SSL_ERROR_BAD_CERT_DOMAIN error, stating "This certificate is only valid for *.abc.def.com"

I don't understand why, since I included options for both abc.def.com and *.abc.def.com in the certbot request.

I then tried including the non-wildcard certificate I had previously generated, which only applies to abc.def.com, as another set of SSLCertificateFile and SSLCertificateKeyFile directives in the VirtualHost config file, but it doesn't make any difference.

What am I doing wrong?

UPDATE: I was able to force it to work using both certificates by setting up two VirtualHost sections as follows. But there must be something wrong with the wildcard cert if it doesn't cover the root name also, right?

<VirtualHost *:443>
    ServerName abc.def.com
    ServerAdmin [email protected]
    DocumentRoot /var/www/abc
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLCertificateFile /etc/letsencrypt/live/abc.def.net/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/abc.def.net/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

<VirtualHost *:443>
    ServerName localhost.abc.def.com
    ServerAlias *.abc.def.com
    ServerAdmin [email protected]
    DocumentRoot /var/www/abc
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLCertificateFile /etc/letsencrypt/live/abc.def.net-0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/abc.def.net-0001/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
ssl-certificate

1 Answers

  1. That doesn't look like the correct way to use -d: it should be -d abc.def.com,*.abc.def.com

    • 3