https://domain.com ssl error and it won't redirect to www unless add exception

Chazy Chaz asked:

I’ve created a let’s encrypt certificate, for my domain, using certbot. I’ve made sure to include www and some (needed) subdomains, so the certificate should be valid for non-www and www:

domain.com www.domain.com sub1.domain.com ...

But this is not the case, if I try to access to https://domain.com it’ll throw a ssl error.

In the certificate viewer (when accessing through www) I can see Common Name (CA) domain.com. The Certificate Subject Alt Name contains the non-www and www…

So I don’t understand why it gives this error:

domain.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: SEC_ERROR_UNKNOWN_ISSUER

I did generate a self-signed certificate but for the default virtualhost block (the one in httpd-ssl.conf), the other blocks are using the let’s encrypt certificate.

I also made sure to deleted the firefox cache.

I did add an exception and now it redirects to https://www.domain.com everytime I write https://domain.com.

I’m using Apache 2.4.23 and my vhosts config is as follows:

<VirtualHosts *:80>
    Servername domain.com
    Redirect permanent / https://www.domain.com/
</VirtualHosts>

<VirtualHost *:443>
    ServerName domain.com:443
    Redirect permanent / https://www.domain.com:443/
</VirtualHost>

<VirtualHost *:PORT> # 80 and 443
    ServerAdmin webmaster@domain.com
    DocumentRoot "/srv/http/domain.com/www"
    ServerName www.domain.com:443
    Protocols h2 h2c

    <Directory "/srv/http/domain.com/www">
        Require all granted

        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteBase /
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^index.php$ - [L]
            RewriteRule . index.php [L]
        </IfModule>
    </Directory>

    <IfModule dir_module>
        DirectoryIndex index.php
    </IfModule>

    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/domain.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/domain.com/privkey.pem"
    Header always set Strict-Transport-Security "max-age=15768000"
    ErrorLog "/var/log/httpd/domain.com-ssl_error_log"
    CustomLog "/var/log/httpd/domain.com-ssl_access_log" common
    LogLevel debug
</VirtualHost>

My answer:


You are not serving the Let’s Encrypt certificate for requests to example.com.

<VirtualHost *:443>
    ServerName domain.com:443
    Redirect permanent / https://www.domain.com:443/
</VirtualHost>

All of the relevant SSL directives are missing.

    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/domain.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/domain.com/privkey.pem"
    Header always set Strict-Transport-Security "max-age=15768000"

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.