How does one make LetsEncrypt secure www subdomain properly?
Following along the tutorial for securing Apache on Ubuntu 14.04, I first created the certificate for the base domain, let's say, mydomain.com. This created an SSL config file at /etc/apache2/sites-available/mydomain.com-le-ssl.conf which linked to the SSL paths as below:
SSLCertificateFile /etc/letsencrypt/live/**mydomain.com**/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/**mydomain.com**/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/**mydomain.com**/chain.pem
Later on, I created the SSL certificate for the www sub-domain by running the following command given in the tutorial:
certbot-auto --apache -d www.mydomain.com
Again, the SSL certificate was created fine. But, this is where the odd behaviour starts. Instead of creating a separate SSL config file for the www subdomain, LetsEncrypt rewrites the mydomain.com-le-ssl.conf with the following SSL paths:
SSLCertificateFile /etc/letsencrypt/live/**www.mydomain.com**/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/**www.mydomain.com**/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/**www.mydomain.com**/chain.pem
Now, why is this a problem? Because, it turns my canonical url from https://mydomain.com to https://www.mydomain.com
Additionally, trying to load https://www.mydomain.com throws an SSL error saying it belongs to the wrong domain.
In my Apache virtual host for the domain, I have the following redirect as per Apache documentation linked here:
ServerAdmin firstname.lastname@example.org ServerName mydomain.com.com ServerAlias www.mydomain.com Redirect permanent "/" "https://mydomain.com/"
Does anyone here in the D.O community know why LetsEncrypt handles the www subdomain like this? It creates a proper sub-domain SSL config file for any other sub-domain (say, dev or test or whatever), but when it comes to the www sub-domain, it overwrites the paths in the main ssl config file.
I even tried creating a www.mydomain.com-le-ssl.conf file with the proper SSL paths and didn't get any error when restarting Apache, but the SSL errors in the browser persist when trying to load https://www.mydomain.com, where it should instead redirect to https://mydomain.com as per the Apache vhost redirect configuration.
I would very much appreciate any assistance that would throw some insight into this issue.