I’ve just finished a few hours of fun messing up a multi domain SSL certificate renewal. In the first draft of this entry I did not use the word mess, messing, or messery. I used another four letter word, but since then I’ve settled a bit and have come back and edited out the profanity. I managed to un-mess it today so in the interests of not performing the same messery at some point in the future here’s what I need to do next time.
- The Namecheap Multi-Domain PositiveSSL certificate requires you to have a certificate for the non-www and the www versions of a domain. In fact, it requires you to have one for each sub-domain of a parent domain you want to secure.
- If renewing the SSL certificate then you should generate a new CSR file. Make extra sure to use the non www version of the domain as the primary domain.
- Using the Namecheap HTTP DCV validation method is dead simple but make sure to read the instructions carefully as they can (and have) changed the folder they want the validation file uploaded to. It was just the root folder but just a few weeks later they wanted it in the ./well-known/pki-validation/ folder. What the?!
When a new certificate is issued make sure to upload the crt and ca-bundle file to the /etc/apache2/some-folder-name-date/ folder to keep it apart from your old certificate files. Don’t forget to put the server .key and .csr file there and then protect the lot with chmod 400
Using the Apache VirtualHost system requires the following sort of entry for a site:
<VirtualHost *:80> ServerAdmin firstname.lastname@example.org ServerName www.domain.com ServerAlias domain.com *.domain.com DocumentRoot /srv/www/public_html/ Redirect permanent / https://www.domain.com </VirtualHost> <VirtualHost *:443> SSLEngine On SSLCertificateFile /etc/apache2/ssl/domain-com-august-2017/some_file.crt SSLCertificateKeyFile /etc/apache2/ssl/domain-com-august-2017/server.key SSLCertificateChainFile /etc/apache2/ssl/domain-com-august-2017/some_file.ca-bundle ServerName www.domain.com ServerAdmin email@example.com ServerAlias domain.com *.domain.com DocumentRoot /srv/www/public_html/ ErrorLog /srv/www/domain-logs/error.log CustomLog /srv/www/domain-logs/access.log combined AddHandler cgi-script .cgi .pl </VirtualHost>
Now, I am not 100% sure if the ServerName/ServerAdmin/ServerAlias/DocumentRoot entries need to be duplicated. But until this point it’s never broken anything so no harm done. The key point of this is that because the SSL handshake is the very first thing that happens between a client the web-server you absolutely 100% need a SSL certicate for the www subdomain as well as the main domain. There’s no getting around it with redirects in .htaccess or any other such trickery.