How does one make LetsEncrypt secure www subdomain properly?

Posted February 24, 2017 19.3k views

Following along the tutorial for securing Apache on Ubuntu 14.04, I first created the certificate for the base domain, let’s say, This created an SSL config file at /etc/apache2/sites-available/ which linked to the SSL paths as below:

SSLCertificateFile /etc/letsencrypt/live/****/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/****/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/****/chain.pem

Later on, I created the SSL certificate for the www sub-domain by running the following command given in the tutorial:

certbot-auto --apache -d

Again, the SSL certificate was created fine. But, this is where the odd behaviour starts. Instead of creating a separate SSL config file for the www subdomain, LetsEncrypt rewrites the with the following SSL paths:

SSLCertificateFile /etc/letsencrypt/live/****/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/****/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/****/chain.pem

Now, why is this a problem? Because, it turns my canonical url from to

Additionally, trying to load throws an SSL error saying it belongs to the wrong domain.

In my Apache virtual host for the domain, I have the following redirect as per Apache documentation linked here:

 Redirect permanent "/" ""

Does anyone here in the D.O community know why LetsEncrypt handles the www subdomain like this? It creates a proper sub-domain SSL config file for any other sub-domain (say, dev or test or whatever), but when it comes to the www sub-domain, it overwrites the paths in the main ssl config file.

I even tried creating a file with the proper SSL paths and didn’t get any error when restarting Apache, but the SSL errors in the browser persist when trying to load, where it should instead redirect to as per the Apache vhost redirect configuration.

I would very much appreciate any assistance that would throw some insight into this issue.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
3 answers


Ideally, when you create a certificate using LetsEncrypt, you want to pass them both at the same time.


-d -d

Using the above, regardless of whether you’re using www or another sub, should work without any issues and prevent any potential errors or conflicts in the configuration.

You can always delete the existing configuration and SSL certificates and start over using the above without any issues as long as the DNS is working properly.

You can also extend that as needed:

-d -d -d -d
  • Thanks for your suggestions. I was thinking the same thing - that I should have passed both and at the same time

    I will go ahead and try deleting the existing configuration - just to be sure, does this mean I should delete the ssl configuration file and the two directories (one for and another for where LetsEncrypt stores the keys and the certs?

    Looking around on the web, it appears that LetsEncrypt stores the cert related info in many places and hard deleting may not be the best approach, although LetsEncrypt doesn’t seem to provide any other elegant way to ‘cleanly’ remove everything related to a cert.

    Or, would the hard delete (SSL conf file and the SSL-related directories) be okay, in your opinion and experience?


From what I can see, you need to make sure you remove the configuration from these directories:


Don’t actually delete those directories, rather, cd in to them and remove the domain configuration as needed, then run the command passing both to create new configuration files.

Looking over the options, the only other option I see is using revoke, though in the past, when and if an error pops up, I’ve always removed the configuration and started fresh.

  • Thank you for taking the time and effort to respond in detail.

    I will try removing the domain configuration and then run the command again, passing both the domains at the same time.

  • Following through on your instructions to remove the configuration files, I changed to the directories you suggested and deleted all the domain specific configuration files.

    However, I also noticed the following configuration files relating to SSL in the Apache ‘sites-available’ folder:

    • /etc/apache2/sites-available/
    • /etc/apache2/sites-available/

    Should these be removed, too, before attempting a fresh install of LetsEncrypt certs for the domains? I checked the files and they have the same content as the Apache virtual host configuration files (apart from If Mod_ssl and Port 443), with the following lines appended:

    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateChainFile /etc/letsencrypt/live/

    Thanks in advance.

@ jtittle1 Thank you, this worked well for RHEL 7.6