Let's Encrypt SAN SSL and subdomains

Discussion in 'Installation/Configuration' started by tfboy, Sep 7, 2021.

  1. tfboy

    tfboy Member

    I've just noticed the warning in my server's logs "server certificate does NOT include an ID which matches the server name". Now looking at the apache vhost files, I can see that I have a servername which is "domain.com" and a serveralias which is "www.domain.com". I guess this is correct as the servername is derived from the entry in the Sites page, and as I ticked WWW in auto-subdomain, ISPC has created the alias.
    The problem I think is that LE only seems to create a certificate for www.domain.com. The certificate DOES have a SAN, but it's ALSO www.domain.com and there's no mention of just domain.com.
    I haven't noticed the problem before because my main site is always www.domain.com.

    It's mainly cosmetic, but probably an easy fix. But how do I get LE to have just "domain.com" as the main / Apache ServerName and then add "www.domain.com" as a SAN to match the Apache ServerAlias?

    For some reason, I have several sites / domains with this issue, but not all of them! The directory listings in /etc/letsencryptlive have some with just domain.com and others with the www.domain.com. Surely, this should be consistent across the board?
  2. ahrasis

    ahrasis Well-Known Member

    For www it should be automatically added to main domain if you select it as subdomain then select LE SSL.

    However the server FQDN is the one that is not added to the domain. One who wants this may need to modify ISPConfig code for creating LE certs.
    tfboy likes this.
  3. tfboy

    tfboy Member

    I'm going through removing SSL, removing the auto subdomain, recreating LE SSL then recreating subdomain. This seems to work, just a bit time-consuming :)
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The SSL cert of a site contains all domains and subdomains that belong to that site and the auto subdomain too. If you have some SSL certs with www in the name, then you either entered www.domain.tld in the domain field of a site, instead of just 'domain.tld' with auto subdomain set to 'www', or domain.tld did not point to the server in DNS, in this case, it has to be skipped as LE won't issue a cert otherwise.

Share This Page