How does one make LetsEncrypt secure www subdomain properly?
Following along the tutorial for securing Apache on Ubuntu 14.04, I first created the certificate for the base domain, let’s say, mydomain.com. This created an SSL config file at /etc/apache2/sites-available/mydomain.com-le-ssl.conf which linked to the SSL paths as below:
SSLCertificateFile /etc/letsencrypt/live/**mydomain.com**/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/**mydomain.com**/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/**mydomain.com**/chain.pem
Later on, I created the SSL certificate for the www sub-domain by running the following command given in the tutorial:
certbot-auto --apache -d www.mydomain.com
Again, the SSL certificate was created fine. But, this is where the odd behaviour starts. Instead of creating a separate SSL config file for the www subdomain, LetsEncrypt rewrites the mydomain.com-le-ssl.conf with the following SSL paths:
SSLCertificateFile /etc/letsencrypt/live/**www.mydomain.com**/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/**www.mydomain.com**/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/**www.mydomain.com**/chain.pem
Now, why is this a problem? Because, it turns my canonical url from https://mydomain.com to https://www.mydomain.com
Additionally, trying to load https://www.mydomain.com throws an SSL error saying it belongs to the wrong domain.
In my Apache virtual host for the domain, I have the following redirect as per Apache documentation linked here:
ServerAdmin firstname.lastname@example.org ServerName mydomain.com.com ServerAlias www.mydomain.com Redirect permanent "/" "https://mydomain.com/"
Does anyone here in the D.O community know why LetsEncrypt handles the www subdomain like this? It creates a proper sub-domain SSL config file for any other sub-domain (say, dev or test or whatever), but when it comes to the www sub-domain, it overwrites the paths in the main ssl config file.
I even tried creating a www.mydomain.com-le-ssl.conf file with the proper SSL paths and didn’t get any error when restarting Apache, but the SSL errors in the browser persist when trying to load https://www.mydomain.com, where it should instead redirect to https://mydomain.com as per the Apache vhost redirect configuration.
I would very much appreciate any assistance that would throw some insight into this issue.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.×