Adding second SSL for second domain

Sebastiaan · July 4, 2023, 4:52am

Hi all!

I have a NextCloud server running and it’s working just fine. Now I’ve added second domain to reach this server.

First domain: cloud.domain1.com
Second domain: cloud.domain2.com

Both the domains work, but for the second domain I just can’t seen to figure out how to install a SSL certificate… For the first domain, I simply used certbot and it was set up in minutes. For the second domain I just wanted to do that again but it doesn’t work like that.

When I run the certbot setup I chose to install the SSL on the same virtual host as domain 1.

The error that certbot gives me is this: Could not find a VirtualHost for cloud.domain2.com in the Apache configuration Please create a VirtualHost with a ServerName matching cloud.domain2.com and try again

When I check the folder, the certificate is saved, but not installed/used.

What do I do now? I have a couple of possible solutions but I’m not sure these are correct or logical?

Remove all SSL certificates, rerun certbot and create a single SSL for both domain1 and domain2 (is this even possible?)
Create a VirtualHost for domain2 (Would this not create an entire new NextCloud instance, separate from my already running instance?)

I’d love to hear from you people, I’ve really found the forums to be super helpful so far!

Thanks in advance!

bb77 · July 4, 2023, 6:10am

I don’t think you have to delete the existing certificates, but you have to add both names to your VirtualHost (See example below) and run Certbot again. It should then create a certificate that is valid for both domains.

There’s no need to create a separate VirtualHost, as I already implied above, and no, a second VirtualHost wouldn’t create a second Nextcloud instance. Nextcloud is not really multi-tenant capable. And even if it were, Apache can’t change the Nextcloud config on its own and vice versa. However both have of course to be configured accordingly, in order to be able to work together:

Apache VirtualHost example for two domain names:

<VirtualHost *:80>
    ServerName cloud.domain1.com
    ServerAlias cloud.domain2.com

</VirtualHost>

Nextcloud config.php example:

'trusted_domains' => 
array (
  0 => 'cloud.domain1.com',
  1 => 'cloud.domain2.com',
),

Hope that helps…

Sebastiaan · July 4, 2023, 6:22am

Thanks for getting back to me so soon!

Where do I add the virtualhost names? Is it located in the Nextcloud config.php file? Both domains are already in the trusted domains list so I think it might just be about adding both domains to the VirtualHost list.

bb77 · July 4, 2023, 6:26am

Yes, as in my example. Just add the second domain name as a ServerAlias to your VirtualHost config, on a separate line, and try to run Certbot again. If it still doesn’t work, please post your entire Apache Virtualhost config and the exact command you used to run Certbot.

Sebastiaan · July 4, 2023, 11:31am

So unfortunately now the domain that used to work with SSL doesn’t work anymore, and the domain that worked, just wasn’t secure isn’t working…

 <VirtualHost *:80>
#     RewriteEngine On
#     RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]
      ServerName cloud.domain1.com
      ServerAlias cloud.domain2.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.domain2.com [OR]
RewriteCond %{SERVER_NAME} =www.cloud.domain2.com [OR]
RewriteCond %{SERVER_NAME} =cloud.domain1.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
 </VirtualHost>

<VirtualHost *:443>
    Header add Strict-Transport-Security: "max-age=15552000;includeSubdomains"

### YOUR SERVER ADDRESS ###
#    ServerAdmin admin@example.com
#    ServerName cloud.example.com

### SETTINGS ###
    <FilesMatch "\.php$">
        SetHandler "proxy:unix:/run/php/php8.1-fpm.nextcloud.sock|fcgi://localhost"
    </FilesMatch>

    # Intermediate configuration
    SSLEngine               on
    SSLCompression          off
    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite          (edited for security)
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    ServerSignature         off

    # Logs
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Document root folder
    DocumentRoot /var/www/nextcloud

    # The Nextcloud folder
    <Directory /var/www/nextcloud>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
    Satisfy Any
    # This is to include all the Nextcloud rules due to that we use PHP-FPM and .htaccess aren't read
    Include /var/www/nextcloud/.htaccess
    </Directory>

    # Deny access to your data directory
    <Directory /mnt/ncdata>
    Require all denied
    </Directory>

    # Deny access to the Nextcloud config folder
    <Directory /var/www/nextcloud/config/>
    Require all denied
    </Directory>

    <IfModule mod_dav.c>
    Dav off
    </IfModule>

    # The following lines prevent .htaccess and .htpasswd files from being viewed by Web clients.
    <Files ".ht*">
    Require all denied
    </Files>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud

    # Disable HTTP TRACE method.
    TraceEnable off
    # Disable HTTP TRACK method.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [R=405,L]

    # Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
<IfModule mod_reqtimeout.c>
    RequestReadTimeout body=0
    </IfModule>

    # Avoid zero byte files (only works in Ubuntu 22.04 -->>)
    SetEnv proxy-sendcl 1

### LOCATION OF CERT FILES ###
    ServerName cloud.domain1.com
    SSLCertificateFile /etc/letsencrypt/live/cloud.domain1.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.domain1.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

The command used for certbot was

sudo certbot --apache -m name@domain.com -d cloud.domain1.com -d www.cloud.domain1.com

Later I used the same command for the second SSL, but with the corresponding domains ofcourse.

bb77 · July 5, 2023, 5:40am

I would try removing the three lines starting with RewriteCond and then execute Certbot again using the following command:

certbot --apache --redirect -d cloud.domain1.com -d cloud.domain2.com

Sebastiaan · July 5, 2023, 6:31am

Hey bb77, thanks, that did work to some extend. Both domains now have an SSL so thats good.
But, something is still wrong, because both URL’s now show me this page… Any idea’s on how/where to fix this?

edit: is this because my trusted domains in the config.php file are “cloud.domain1.com” and “cloud.domain2.com” without the https?

bb77 · July 5, 2023, 6:54am

I had another look at the config you posted, and I noticed that the ServerName and Server Alias directives are missing in the second VirualHost

Add the them after <VirtualHost *:443> like this…

<VirtualHost *:443>
    ServerName cloud.domain1.com
    ServerAlias cloud.domain2.com

…and then restart Apache:

sudo systemctl restart apache2

Sebastiaan · July 5, 2023, 7:27am

I did that, but it still show the “Index of /” page for both domains.

devnull · July 5, 2023, 7:32am

Maybe you have not set the correct paths. Read this (Debian) or this (Ubuntu) installation guide (apache2-parts).

bb77 · July 5, 2023, 7:43am

Hmm, not sure then. Maybe it is because both VirtualHosts are in the same config file… Usually Certbot automatically creates a second config file for the SSL config and adds redirect directives to the first one…

Example:

If your config file is named nextcloud.conf, Certbot will create a second config called nextcloud-le-ssl.conf

This would mean, that you now have two SSL configs for the same Server and Alias Names, but only the one in your first config file contains the additional directives for Nextcloud.

Maybe it would be easier to disable all of the existing configs, and start over with a fresh config.

ls /etc/apache2/sites-available

then disable all the configs:

a2dissite filename.conf

Then create a new simple config file as follows:

nano /etc/apache2/sites-available/nextcloud.conf

<VirtualHost *:80>
ServerName cloud.domain.com
ServerAlias cloud.domain2.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Save the file and exit nano.

Enable the site:

a2ensite nextcloud.conf

Restart Apache and run certbot. Certbot will then create a file called nextcloud-le-ssl.conf, which already contains the directives from the first VirtualHost plus the SSL config. Leave those entries alone and only add the rest of your existing config under <VirtualHost *443> from the old config file to it:

Sebastiaan · July 5, 2023, 7:44am

Could you elaborate on that? Before I added the SSL at least both domains did work, but only one didn’t have an SSL. Now both have SSL, but don’t work sadly.

bb77 · July 5, 2023, 7:45am

Then the path isn’t the issue, if you didn’t change it.

Sebastiaan · July 5, 2023, 1:25pm

So before I start deleting all config files and starting over, I checked what is in the /etc/apache2/sites-available folder. These are the .conf files in there:

000-default.conf
nextcloud_http_domain_self_signed.conf
nextcloud_tls_domain_self_signed.conf
default-ssl.conf
nextcloud_tls_domain_self_signed-le-ssl.conf

Should I check any of these files before starting all over?

bb77 · July 5, 2023, 2:15pm

You don’t have do delete the files. Just disable them for now, by using the a2dissite command. Once your new config is working, you can delete them.

Sebastiaan · July 6, 2023, 7:01am

Your previous post helped me tremendously and I have marked it as the solution! Had a little struggle at first I soon realized I edited the wrong file. Thank you so much for this, very helpfull!