Fix so Let's Encrypt works with www

Question

Firefox does not trust this site since it uses a certifcate which is not valid for www.example.com. Certificate is only valid for example.com.

Error code: SSL_ERROR_BAD_CERT_DOMAIN

I'm using Let's Encrypt on Ubuntu 16, Apache httpd.

How do I add so it also works for www? Some conf in Apache I guess?

Cant find anything about it.

Answer 1

Assuming you have installed certbot (docs for your version of Ubuntu and Apache), you should use the -d command line switch to list the domains you want the certificate to work for. From the docs:

 -d DOMAIN, --domains DOMAIN, --domain DOMAIN
                   Domain names to apply. For multiple domains you can
                   use multiple -d flags or enter a comma separated list
                   of domains as a parameter. The first domain provided
                   will be the subject CN of the certificate, and all
                   domains will be Subject Alternative Names on the
                   certificate. The first domain will also be used in
                   ...

If you want to do a dry run to test, use certonly and --dry-run (you'll have to run as root or with sudo):

certbot certonly --dry-run -d www.example.com -d example.com

If it looks like everything is OK, actually generate, install and activate the certs with (note this will restart Apache):

certbot --apache -d www.example.com -d example.com

certbot will make the required edits to your Apache config for you.

If you you'd rather make the edits manually, use the webroot option. The docs for that option include an example of doing this for multiple domains, including example.com and www.example.com. Removing the other domains from that example to simplify for this case:

certbot certonly --webroot -w /var/www/example -d www.example.com -d example.com

You'll need to restart Apache yourself for the new certificates to be used when using this option.