I've set up a subdomain sm.webscraping.pro
working thru http (Centos 7). Yet as to https, the https:// returns rather the main domain content (webscraping.pro).
Any suggestion how to plug in another SSL cert for subdomain and set up https?
Note: The present SSL certificate pertaining to the domain cannot be used for both the domain and its subdomains at the same time.
Update (browser does not recognize SSL certificates)
1) I've followed @Alex suggestion to use dehydrated. As I've stepped after the tutorial, I eventually got smooth thru all steps and the certs are in the certs
folder.
See the dehydrated
folder content:
[root@webscraping dehydrated]# tree .
.
├── accounts
│ ├── aHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvZGlyZWN0b3J5Cg
│ │ ├── account_id.json
│ │ ├── account_key.pem
│ │ └── registration_info.json
│ ├── aHR0cHM6Ly9hY21lLXN0YWdpbmcuYXBpLmxldHNlbmNyeXB0Lm9yZy9kaXJlY3RvcnkK
│ ├── aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo -> aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo
│ ├── aHR0cHM6Ly9hY21lLXYwMjIuYXBpLmxldHNlbmNyeXB0Lm9yZy9kaXJlY3RvcnkK
│ └── aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo
│ ├── account_id.json
│ ├── account_key.pem
│ └── registration_info.json
├── aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo
├── archive
├── certs
│ └── sm.webscraping.pro
│ ├── cert-1637096617.csr
│ ├── cert-1637096617.pem
│ ├── cert.csr -> cert-1637096617.csr
│ ├── cert.pem -> cert-1637096617.pem
│ ├── chain-1637096617.pem
│ ├── chain.pem -> chain-1637096617.pem
│ ├── fullchain-1637096617.pem
│ ├── fullchain.pem -> fullchain-1637096617.pem
│ ├── privkey-1637096617.pem
│ └── privkey.pem -> privkey-1637096617.pem
├── chains
├── conf.d
│ └── local.sh
├── config
├── domains.txt
├── hook.d
└── hook.sh
2) I've modified the httpd.conf file to refer to the certificate files:
...
<VirtualHost *:80>
DocumentRoot /home/admin/web/sm.webscraping.pro/public_html/public
ServerName sm.webscraping.pro
</VirtualHost>
<VirtualHost *:443>
ServerName sm.webscraping.pro
DocumentRoot /home/admin/web/sm.webscraping.pro/public_html/public
SSLEngine On
SSLCertificateFile /etc/dehydrated/certs/sm.webscraping.pro/cert.pem
SSLCertificateKeyFile /etc/dehydrated/certs/sm.webscraping.pro/privkey.pem
SSLCertificateChainFile /etc/dehydrated/certs/sm.webscraping.pro/fullchain.pem
</VirtualHost>
3) Restarted Apache:
service httpd restart
Yet there are 2 problems remaining:
- A browser treats the https://sm.webscraping.pro as unsecure resource.
- Besides, the sm.webscraping.pro returns the content of the main domain.
:-(
What might be wrong?
Any way to fix?
Update 2 - browser seem to check the main domain certificate against sm.webscraping.pro
When checked the sm.webscraping.pro at an online SSL check tool the latter has returned me the info of the main domain certificate:
Note: in this check result: None of the common names in the certificate match the name that was entered (sm.webscraping.pro).
There is seemingly a conflict between the certificate of the official SSL issuing authority (CA) and the certificate of ACME "Automatic Certificate Management Environment"... How to resolve it to make both working ?
sm.webscraping.pro resolves to 185.221.154.249
Server Type: nginx
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
The certificate was issued by Sectigo.
The certificate will expire in 323 days.
None of the common names in the certificate match the name that was entered (sm.webscraping.pro). You may receive an error when accessing this site in a web browser. Learn more about name mismatch errors.
Server
Common name: webscraping.pro
SANs: webscraping.pro, www.webscraping.pro
Valid from September 5, 2021 to October 6, 2022
Serial Number: fbab39085b740febae1e9cba4cee3dd8 Signature
Algorithm: sha256WithRSAEncryption
Issuer: Sectigo RSA Domain Validation Secure Server CA
Chain
Common name: Sectigo RSA Domain Validation Secure Server CA
Organization: Sectigo Limited
Location: Salford, Greater Manchester, GB
Valid from November 1, 2018 to December 31, 2030
Serial Number: 7d5b5126b476ba11db74160bbc530da7
Signature Algorithm: sha384WithRSAEncryption
Issuer: USERTrust RSA Certification Authority
Update 3 - the present VirtualHost configuration
185.221.154.249:8443 is a NameVirtualHost
default server webscraping.pro (/home/admin/conf/web/webscraping.pro.httpd.ssl.conf:1)
port 8443 namevhost webscraping.pro (/home/admin/conf/web/webscraping.pro.httpd.ssl.conf:1)
alias www.webscraping.pro
port 8443 namevhost programs.educamatch.com (/home/admin/conf/web/programs.educamatch.com.httpd .ssl.conf:1)
alias www.programs.educamatch.com
185.221.154.249:8080 is a NameVirtualHost
default server webscraping.pro (/home/admin/conf/web/webscraping.pro.httpd.conf:1)
port 8080 namevhost webscraping.pro (/home/admin/conf/web/webscraping.pro.httpd.conf:1)
alias www.webscraping.pro
port 8080 namevhost programs.educamatch.com (/home/admin/conf/web/programs.educamatch.com.httpd .conf:1)
alias www.programs.educamatch.com
port 8080 namevhost testing-ground.webscraping.pro (/home/admin/conf/web/testing-ground.webscra ping.pro.httpd.conf:1)
alias www.testing-ground.webscraping.pro
port 8080 namevhost test.webscraping.pro (/home/admin/conf/web/test.webscraping.pro.httpd.conf: 1)
alias www.test.webscraping.pro
port 8080 namevhost sm.webscraping.pro (/home/admin/conf/web/sm.webscraping.pro.httpd.conf:1)
*:80 is a NameVirtualHost
default server sm.webscraping.pro (/etc/httpd/conf/httpd.conf:59)
port 80 namevhost sm.webscraping.pro (/etc/httpd/conf/httpd.conf:59)
port 80 namevhost sm.webscraping.pro (/etc/httpd/conf/httpd.conf:59)
*:443 is a NameVirtualHost
default server sm.webscraping.pro (/etc/httpd/conf/httpd.conf:71)
port 443 namevhost sm.webscraping.pro (/etc/httpd/conf/httpd.conf:71)
port 443 namevhost sm.webscraping.pro (/etc/httpd/conf/httpd.conf:71)
Update 4
In the /home/admin/conf/web/
I've found the following:
nginx.programs.educamatch.com.conf_letsencrypt ssl.programs.educamatch.com.pem
nginx.sm.webscraping.pro.conf_letsencrypt ssl.webscraping.pro.ca
nginx.webscraping.pro.conf_letsencrypt ssl.webscraping.pro.crt
programs.educamatch.com.httpd.conf ssl.webscraping.pro.key
programs.educamatch.com.httpd.ssl.conf ssl.webscraping.pro.pem
programs.educamatch.com.nginx.conf testing-ground.webscraping.pro.httpd.conf
programs.educamatch.com.nginx.ssl.conf testing-ground.webscraping.pro.nginx.conf
sm.webscraping.pro.httpd.conf test.webscraping.pro.httpd.conf
sm.webscraping.pro.nginx.conf test.webscraping.pro.nginx.conf
sm.webscraping.pro.snginx.conf webalizer.webscraping.pro.conf
snginx.programs.educamatch.com.conf_letsencrypt webscraping.pro.auth
snginx.sm.webscraping.pro.conf_letsencrypt webscraping.pro.httpd.conf
snginx.webscraping.pro.conf_letsencrypt webscraping.pro.httpd.ssl.conf
ssl.programs.educamatch.com.ca webscraping.pro.nginx.conf
ssl.programs.educamatch.com.crt webscraping.pro.nginx.ssl.conf
ssl.programs.educamatch.com.key
Probably generated by VestaCP.
Should I put the generated Let Encrypt certificates into here ?
Update 5
For the main domain I have the following (used by Vesta) files in /home/admin/conf/web
:
ssl.webscraping.pro.ca
ssl.webscraping.pro.crt
ssl.webscraping.pro.key
ssl.webscraping.pro.pem
While the files generated by dehydrated for the subdomain are only these in /etc/dehydrated/certs/sm.webscraping.pro
:
cert-1637096617.csr
cert-1637096617.pem
cert.csr
cert.pem
chain-1637096617.pem
chain.pem
fullchain-1637096617.pem
fullchain.pem
privkey-1637096617.pem
privkey.pem
How to correctly map them for the .ca
, .crt
, .key
and .pem
files into the /home/admin/conf/web
folder ?
Update 6
Following @Alex 's comment I've copied fullchain-xxx.pem
into ssl.sm.webscraping.pro.crt
and privkey-xxx.pem
into ssl.sm.webscraping.pro.key
into the /home/admin/conf/web
directory. Then I've added them as the certificate and the certificate key accordingly in Vesta CP (in the SSL
section of the WEB
tab for the sm.webscraping.pro domain). See image below:
Yet still no evidence of SSL working:
Any way out ?
Update 7
I've updated VestaCP and followed to add cert from CP using Let's Encrypt. Seemingly a positive result:
Yet still problem with identifying SSL:
Why is that? Any suggestion of when the SSL cert is spread throughout the web ?
sm.webscraping.pro
and add it into web server configuration, then TLD will run on existing one and subdomain on another SSL certificate. You can use dehydrated bash script from your CentOS host directly to get SSL certificatedehydrated
, yet not much luck. Could you see the Update section and respond?fulchain.pem
is symlink to the latest obtained certificate, the same is withprivate.pem
, so you needls -la
to find where it point to and copyfullchain-xxxxx.pem
tosm.webscraping.pro.crt
andsm.webscraping.pro.key
to /home/admin/conf/web then add it from CP to appropriate subdomain