Add certificate to my site when accessing without “www”

Question

My domain is: www.nace.network

My web server is (include version): nginx version: nginx/1.15.8

The operating system my web server runs on is (include version): Ubuntu 14.04.6 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Recently I was able to renew my certificate for my website, I can access it through www.nace.network but when accessing my site without using the “www” it sends me the “Warning: Potential Security Risk Ahead” alert, in what way could I fix it? this is the content of my nginx file:

server {
listen 8080 default_server;
listen [::]:8080 default_server ipv6only=on;
server_name www.nace.network;
root /home/ubuntu/nace/public; #could maybe change this to dummy location like /nul
location / {
return 301 https://$host$request_uri;
}#location
}#server

server {
  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  server_name www.nace.network;
  passenger_enabled on;
  rails_env production;
  root /home/ubuntu/nace/public;
  # redirect server error pages to the static page /50x.html
  error_page 500 502 503 504 /50x.html;
  location / {
   deny 46.229.168.0;
   deny 51.68.152.0;
  }#locatoin
  location = /50x.html {
  root html;
  }#location
  ssl_certificate /etc/letsencrypt/live/www.nace.network/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/www.nace.network/privkey.pem; # managed by Certbot

  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

}#server

at the time I renew the certificate with this command :

ubuntu@ip-112-33-0-224:~/letsencrypt$ sudo -H ./letsencrypt-auto certonly --standalone -d nace.network -d www.nace.network

and this was the result

./letsencrypt-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
  utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nace.network
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

I tried to combine the certificates with the command: certbot certonly -t -n --standalone --expand --rsa-key-size 4096 --agree-tos -d www.nace.network,nace.network

but it throws me the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Attempting to parse the version 0.39.0 renewal configuration file found at /etc/letsencrypt/renewal/www.nace.network.conf with version 0.31.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nace.network
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

Your certificate contains only `www.nace.network` - it does not contain `nace.network` Please check that there is no certificate inside `/etc/letsencrypt/live/nace.network` - if there is, then you may need to combine them. — IVO GELOV, Nov 13 '19 at 15:28
@IVO GELOV ok, it seems that the files exist: root@ip-112-33-0-224:/etc/letsencrypt/live/nace.network# ls README cert.pem chain.pem fullchain.pem privkey.pem — jeff, Nov 13 '19 at 15:44
You can try to combine them into a bigger full-chain manually - but since they certainly have different private key I would recommend to recreate the `www.nace.network` certificate to include both domain names - something like `certbot certonly -t -n --standalone --expand --rsa-key-size 4096 --agree-tos -d www.nace.network,nace.network` — IVO GELOV, Nov 13 '19 at 15:51
@IVOGELOV I executed the command and I think it did not work, it seems that it is because port 80 is busy, I updated the post and pasted the complete result of the command so you can see it — jeff, Nov 13 '19 at 16:08
Well, you can then configure nginX for the `webroot` mode of CertBot by adding `location /.well-known/acme-challenge/ { root /var/www/challenges/; }` and making sure the folder exists and has proper ownership and permissions. But it would be easier for you to just redirect from non-www to www domain - as described by Tavanez below. — IVO GELOV, Nov 14 '19 at 12:26

tavanez · Answer 1 · 2019-11-13T16:46:36.507

1

What names were configured on the cert ?

Hi again, reviewing you're configs I noticed that you do not have a server name without www.

You can follow this Nginx no-www to www and www to no-www

or simple edit the server name to the one without "www" and then redirect it to www.yourdomain.stuff

edited Nov 13 '19 at 16:46

answered Nov 13 '19 at 15:11

tavanez

13
7

at the time I renew the certificate with this command sudo -H ./letsencrypt-auto certonly --standalone -d nace.network -d www.nace.network – jeff Nov 13 '19 at 15:22
Thanks for answering, so in my case should I have 4 server blocks? the two that I have for www.nace.network and two more for nace.network? – jeff Nov 13 '19 at 17:06
Hi jeff, no only 2. one block with server_name www..nace.network and another with server_name nace.network Assuming that you will only be using https which makes more sense to me – tavanez Nov 13 '19 at 17:20
ok, the second block I modified to server nace.network, but it still shows me the risk message when accessing nace.network What else could I be missing? – jeff Nov 13 '19 at 17:27

Add certificate to my site when accessing without “www”

1 Answers1