[SOLVED] Letsencrypt for websites

if I am using MIAB DNS and hosting websites on an external server, should I install and generate certs on the external server or let MIAB handle it? if the former, how do I ‘turn off’ or remove auto generated certs on MIAB so as to not create a conflict?

thank you in advance!

As soon as you will add the custom DNS A record(s) pointing them to your external website(s) server(s) IP address(es) it (they) will exclude the Let’sEncrypt certificates to be managed within MiaB then, you will need to handle the certificates for this (those) website(s) directly in your web server(s).

thank you. should I also create entries then in MIAB’s custom DNS for ‘www’ domain-name.tld?

Yes! at least 2 A records / domain as follows:

domain1.tld A 123.45.67.89
www.domain1.tld A 123.45.67.89
  • Where 123.45.67.89 is your web server IP address

It’s been touched on in a previous comment but for those looking for just a simple step by step for external hosting:

  1. Create 2 A records: one for @ (just the domain) and one for www. Both pointing to your external host
  2. Install certbot (or other certificate manager of choice) on the external host.
  3. Run certbot (or other certificate manager of choice) according to it’s documentation. (In most cases, this is just certbot)
  4. Profit from free SSL.

ok I believe I have created a problem. I added a domain here and originally I was going to host the website on MIAB. I changed my mind and have pointed the A record for the domain to an external site. I created and installed a letsencrypt cert on the external web server. Now when I browse the site using https I get a NET::ERR_CERT_COMMON_NAME_INVALID error. I flushed my browser and no change. I believe these are clashing certs. How can I resolve this problem please?

If you will supply your hostname I could take a peek and see what is going on. Feel free to PM it to me if you desire.

I’m not sure what the problem is but because there are some similar questions I wanted to just note-

That there isn’t such a thing as clashing HTTPS certificates. Two servers can provision entirely different HTTPS certificates for the same domain and they will both work.

https://saveoursoil.us
https://mitigation.com

Could the problem be at Letsencrypt where they have two sets of certs for the same website? would the problem be solved if I migrated the MIAB cert to overwrite those generated separately via certbot on the external web server?

No, it really doesn’t matter. Once a certificate is issued, it’s valid. And if you provision a different one, it’s valid too.

Hmmm, so what the devil is going on? I don’t believe it’s a browser issue as I’ve purged and tested the big three. they all generate errors. the support at Letsencrypt was not at all helpful.

Your domain is not valid, that’s probably why, unless this webpage is done by you specifically??

image

For saveoursoil.us, you are 100% using the wrong certificate.

Cert in use: www.saveoursoil.us
cert that should be in use: saveoursoil.us OR *.saveoursoil.us reissue the certificate using only the domain name, NOT with “www” at the beginning and you will be all set.

Multiple issues are going on here …

The certificates for BOTH domains are issued to www.domain.com, not to the root domain. It would be normal for each certificate to be issued to the root domain as well as www, so IMHO both certificates need to be reissued.

Additionally, www.saveoursoul.us is being redirected by your webserver to the root domain, so if I attempt to visit www.saveoursoul.us, I am redirected to saveoursoul.us which does not have a certificate as noted above.

Alento,

Thank you for looking into this. Are you familiar with certbot --apache ? The command generates an enumerated list listing each web server by domain name, one with and one without ‘www’. so I assumed I was to generate certs for both and did so. the odd thing is that some of the web servers are working without issue (with and w.o. www). but these two are not.

I’m still confused :frowning:

When you generate the cert with certbot, it will give you a list of domains and assign a number to each potential subdomain. You the need to enter the numbers identifying the subdomains each certificate is to be issued for … so

1 domain.com
2 www.domain.com
3 mitigation.com
4 www.mitigation.com
5 saveoursoul.us
6 www.saveoursoul.us

So when generating the first certificate, you would enter: 3 4 which will generate a certificate for both subdomains. You will reference that certificate in your vHost file for that domain. You mentioned that you issued certificates for both domains - I am interpreting that to mean you issued 2 certificates. Your vHost file can only reference one certificate. I guess you chose the wrong certificate for these two vHost’s.

I suspect that you only entered 4 for the certificate that you are actually using.

1 Like

@christian7 set the ServerName variable in your apache site-enabled config of choice to the root domain of choice, then just run certbot on it’s own. It will automatically detect your apache installation, and the site name for each site hosted, then just run through each one by one, it will list it all in a nice menu and it will walk you through it all.

I’d also like to point out, using www is no longer necessary for most websites these days. It was used to determine what was hosted there, but if you just have web hosting (and email is else where) you can omit using www. It’s old and not really needed these days. You can avoid provisioning a cert for it by just having www.* redirect to the SSL non-www site instead for users still trying to use it.

Which it looks like what is happening in this case, but the wrong certificate most likely was used if the OP did indeed “…generate certs for both.”

I fixed it. the enumerated list script screwed things up. at the command line I just did

certbot --apache -d domainname.tld -d www.domainname.tld --preferred-challenges http

thanks everybody!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.