Unencrypted http:// access to the SLUUG Special Intrist Groups (SIG) domains worked as desired without any problems

Unfortunately, encrypted https:// access to the SIG domains left some things to be desired.

• https://sluug.tnetconsulting.net

We had an annoyance with the TLS certificates on Bock. Specifically, the TLS certificate didn't include the following domain names:

• newlinux.org / www.newlinux.org
• slacc.org / www.slacc.org
• stllug.org / www.stllug.org

So any time users went to the https:// version of those sites, they got a scary security warning message:

• Warning: Potential Security Risk Ahead
• This Connection is Untrusted

Visitors had to click through the warning, against security best practice, to receive a redirect to another SLUUG site:

• https://newlug.sluug.org
• https://slacc.sluug.org
• https://www.stllug.org

The solution for this is to make sure that there is a certificate on Bock that includes the host names at the top of the page.

SLUUG uses Certbot to manage certificates. Certbot was configured to run the following command when it issues / renewed certificate.

certbot certonly \
           --server https://acme-v02.api.letsencrypt.org/directory \
           --dns-rfc2136 \
           --dns-rfc2136-credentials /etc/letsencrypt/sluug.credentials \
           --dns-rfc2136-propagation-seconds 300 \
           -d *.sluug.org -d sluug.org \
           -d stllinux.org \
           -d www.stllinux.org

So we needed to tell Cerbot to request certificates for six additional names:

certbot certonly \
           --server https://acme-v02.api.letsencrypt.org/directory \
           --dns-rfc2136 \
           --dns-rfc2136-credentials /etc/letsencrypt/sluug.credentials \
           --dns-rfc2136-propagation-seconds 300 \
           -d *.sluug.org -d sluug.org \
           -d stllinux.org \
           -d www.stllinux.org \
           -d newlinux.org \
           -d www.newlinux.org \
           -d slacc.org \
           -d www.slacc.org \
           -d stllug.org \
           -d www.stllug.org \
           --expand

Adding the `-d` lines for the six domains; no-www and www forms, as the `--expand` option is all that was needed.

N.B. Certbot was already configured to use Dynamic DNS updates to add records to DNS zones on Bock, so nothing extra was needed to enable that.

Once the new certificate with the additional domain names was created, then it was a matter of restarting Apache to make it use the new certificate.

We are still in the process of cleaning up how Apache serves up redirects for the SIG domains.

This page was intentionally left blank.

Q & A / discussion

This page was also intentionally left blank.