Domain + www subdomain - how to setup the symlinks?

[I-Am-Abacus]

I am putting changes live to a site which includes this plugin (v0.0.7) for the first time.

There are instructions in the wiki to "create symlinks between sub-domains and main domain www directory", which I don't understand.

1. Expected behavior

The certificate covers both newmarketscientific.com and www.newmarketscientific.com.

2. Actual behavior

https://newmarketscientific.com works fine, but https://www.newmarketscientific.com does not:-

"The owner of www.newmarketscientific.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

www.newmarketscientific.com uses an invalid security certificate. The certificate is only valid for newmarketscientific.com"

3. Steps to reproduce issue

Put my code live (inc required empty folders, etc)
run openssl genrsa 4096 > key/keyfile.pem
run rake letsencrypt_plugin
...which runs fine.

However, I don't understand what I need to do re the following instruction in the wiki under "2a. Multiple domains":-

Please bear in mind that if you would like to generate certificate for multiple domains than you have to create symlinks between sub-domains and main domain www directory. For example:

+---- /var/www 
            |
            + --- example.com
                  ^  ^
                  |  |
                  |  + --- other1.example.com
                  |
                  + --- other2.example.com

It is because challenge verification is handled by the domain where the letsencrypt_plugin script has been installed and run

This is my nginx configuration:-

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        passenger_enabled on;
        root /home/rails/nkts_git/public;

        passenger_app_env production;

        index index.html index.htm index.nginx-debian.html;

        server_name newmarketscientific.com;
        ssl_certificate     /home/rails/nkts_git/certificates/newmarketscientific.com-fullchain.pem;
        ssl_certificate_key /home/rails/nkts_git/certificates/newmarketscientific.com-key.pem;

        client_max_body_size 100m;
        client_body_timeout 300s;

}

4. Your configuration (ruby, rails version, your Gemifile and Gemfile.lock files etc.)

Ruby 2.1.7 via rbenv
Rails 4.2.5

My gemfile:-

source 'https://rubygems.org'

gem 'rake', '~> 10.4.2'
gem 'rails', '~> 4.2.5'
gem 'sass-rails', '~> 5.0.3'
gem 'coffee-rails', '~> 4.1.0'
gem 'uglifier', '~> 2.7.1' 
gem 'jquery-rails', '~> 3.1.3'
gem 'jquery-turbolinks', '~> 2.1.0'
gem 'turbolinks', '~> 2.5.3'
gem 'mysql2', '~> 0.3.19'
gem 'nokogiri', '~> 1.6.6.2'
gem 'paperclip', '~> 4.3.0'
gem 'devise', '~> 3.5.1'
gem 'ransack', '~> 1.6.6'
gem 'will_paginate', '~> 3.0.7'
gem 'i18n', '~> 0.7.0'
gem 'tinymce-rails', '~> 4.3.8'
gem 'posix-spawn', '~> 0.3.11'
gem 'letsencrypt_plugin', '~> 0.0.7'
gem 'audited-activerecord', '~> 4.0'

group :development do
  gem 'ruby-debug-ide'
  gem 'debase'
end

group :development, :test do
  gem 'web-console', '~> 2.0'
end

group :staging, :production do
  gem 'passenger', '~> 5.0.15'
  gem 'sentry-raven', :git => 'https://github.com/getsentry/raven-ruby.git'
end

My gemfile.lock

GIT
  remote: https://github.com/getsentry/raven-ruby.git
  revision: 3cdae1db11267f6c81ebf295254ecb42817b25d5
  specs:
    sentry-raven (0.15.5)
      faraday (>= 0.7.6)

GEM
  remote: https://rubygems.org/
  specs:
    acme-client (0.2.4)
      faraday (~> 0.9, >= 0.9.1)
      json-jwt (~> 1.2, >= 1.2.3)
    actionmailer (4.2.5.1)
      actionpack (= 4.2.5.1)
      actionview (= 4.2.5.1)
      activejob (= 4.2.5.1)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 1.0, >= 1.0.5)
    actionpack (4.2.5.1)
      actionview (= 4.2.5.1)
      activesupport (= 4.2.5.1)
      rack (~> 1.6)
      rack-test (~> 0.6.2)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
    actionview (4.2.5.1)
      activesupport (= 4.2.5.1)
      builder (~> 3.1)
      erubis (~> 2.7.0)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
    activejob (4.2.5.1)
      activesupport (= 4.2.5.1)
      globalid (>= 0.3.0)
    activemodel (4.2.5.1)
      activesupport (= 4.2.5.1)
      builder (~> 3.1)
    activerecord (4.2.5.1)
      activemodel (= 4.2.5.1)
      activesupport (= 4.2.5.1)
      arel (~> 6.0)
    activesupport (4.2.5.1)
      i18n (~> 0.7)
      json (~> 1.7, >= 1.7.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
    arel (6.0.3)
    audited (4.2.0)
      rails-observers (~> 0.1.2)
    audited-activerecord (4.2.0)
      activerecord (~> 4.0)
      audited (= 4.2.0)
    bcrypt (3.1.10)
    bindata (2.2.0)
    binding_of_caller (0.7.2)
      debug_inspector (>= 0.0.1)
    builder (3.2.2)
    climate_control (0.0.3)
      activesupport (>= 3.0)
    cocaine (0.5.8)
      climate_control (>= 0.0.3, < 1.0)
    coffee-rails (4.1.1)
      coffee-script (>= 2.2.0)
      railties (>= 4.0.0, < 5.1.x)
    coffee-script (2.4.1)
      coffee-script-source
      execjs
    coffee-script-source (1.10.0)
    concurrent-ruby (1.0.0)
    debase (0.2.1)
      debase-ruby_core_source
    debase-ruby_core_source (0.8.4)
    debug_inspector (0.0.2)
    devise (3.5.6)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 3.2.6, < 5)
      responders
      thread_safe (~> 0.1)
      warden (~> 1.2.3)
    erubis (2.7.0)
    execjs (2.6.0)
    faraday (0.9.2)
      multipart-post (>= 1.2, < 3)
    globalid (0.3.6)
      activesupport (>= 4.1.0)
    i18n (0.7.0)
    jquery-rails (3.1.4)
      railties (>= 3.0, < 5.0)
      thor (>= 0.14, < 2.0)
    jquery-turbolinks (2.1.0)
      railties (>= 3.1.0)
      turbolinks
    json (1.8.3)
    json-jwt (1.5.2)
      activesupport
      bindata
      multi_json (>= 1.3)
      securecompare
      url_safe_base64
    letsencrypt_plugin (0.0.7)
      acme-client (~> 0.2.4)
      rails (~> 4.2.5)
    loofah (2.0.3)
      nokogiri (>= 1.5.9)
    mail (2.6.3)
      mime-types (>= 1.16, < 3)
    mime-types (2.99)
    mimemagic (0.3.0)
    mini_portile (0.6.2)
    minitest (5.8.4)
    multi_json (1.11.2)
    multipart-post (2.0.0)
    mysql2 (0.3.20)
    nokogiri (1.6.6.4)
      mini_portile (~> 0.6.0)
    orm_adapter (0.5.0)
    paperclip (4.3.5)
      activemodel (>= 3.2.0)
      activesupport (>= 3.2.0)
      cocaine (~> 0.5.5)
      mime-types
      mimemagic (= 0.3.0)
    passenger (5.0.24)
      rack
      rake (>= 0.8.1)
    polyamorous (1.3.0)
      activerecord (>= 3.0)
    posix-spawn (0.3.11)
    rack (1.6.4)
    rack-test (0.6.3)
      rack (>= 1.0)
    rails (4.2.5.1)
      actionmailer (= 4.2.5.1)
      actionpack (= 4.2.5.1)
      actionview (= 4.2.5.1)
      activejob (= 4.2.5.1)
      activemodel (= 4.2.5.1)
      activerecord (= 4.2.5.1)
      activesupport (= 4.2.5.1)
      bundler (>= 1.3.0, < 2.0)
      railties (= 4.2.5.1)
      sprockets-rails
    rails-deprecated_sanitizer (1.0.3)
      activesupport (>= 4.2.0.alpha)
    rails-dom-testing (1.0.7)
      activesupport (>= 4.2.0.beta, < 5.0)
      nokogiri (~> 1.6.0)
      rails-deprecated_sanitizer (>= 1.0.1)
    rails-html-sanitizer (1.0.3)
      loofah (~> 2.0)
    rails-observers (0.1.2)
      activemodel (~> 4.0)
    railties (4.2.5.1)
      actionpack (= 4.2.5.1)
      activesupport (= 4.2.5.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
    rake (10.4.2)
    ransack (1.6.6)
      actionpack (>= 3.0)
      activerecord (>= 3.0)
      activesupport (>= 3.0)
      i18n
      polyamorous (~> 1.2)
    responders (2.1.1)
      railties (>= 4.2.0, < 5.1)
    ruby-debug-ide (0.6.0)
      rake (>= 0.8.1)
    sass (3.4.21)
    sass-rails (5.0.4)
      railties (>= 4.0.0, < 5.0)
      sass (~> 3.1)
      sprockets (>= 2.8, < 4.0)
      sprockets-rails (>= 2.0, < 4.0)
      tilt (>= 1.1, < 3)
    securecompare (1.0.0)
    sprockets (3.5.2)
      concurrent-ruby (~> 1.0)
      rack (> 1, < 3)
    sprockets-rails (3.0.1)
      actionpack (>= 4.0)
      activesupport (>= 4.0)
      sprockets (>= 3.0.0)
    thor (0.19.1)
    thread_safe (0.3.5)
    tilt (2.0.2)
    tinymce-rails (4.3.8)
      railties (>= 3.1.1)
    turbolinks (2.5.3)
      coffee-rails
    tzinfo (1.2.2)
      thread_safe (~> 0.1)
    uglifier (2.7.2)
      execjs (>= 0.3.0)
      json (>= 1.8.0)
    url_safe_base64 (0.2.2)
    warden (1.2.6)
      rack (>= 1.0)
    web-console (2.3.0)
      activemodel (>= 4.0)
      binding_of_caller (>= 0.7.2)
      railties (>= 4.0)
      sprockets-rails (>= 2.0, < 4.0)
    will_paginate (3.0.7)

PLATFORMS
  ruby

DEPENDENCIES
  audited-activerecord (~> 4.0)
  coffee-rails (~> 4.1.0)
  debase
  devise (~> 3.5.1)
  i18n (~> 0.7.0)
  jquery-rails (~> 3.1.3)
  jquery-turbolinks (~> 2.1.0)
  letsencrypt_plugin (~> 0.0.7)
  mysql2 (~> 0.3.19)
  nokogiri (~> 1.6.6.2)
  paperclip (~> 4.3.0)
  passenger (~> 5.0.15)
  posix-spawn (~> 0.3.11)
  rails (~> 4.2.5)
  rake (~> 10.4.2)
  ransack (~> 1.6.6)
  ruby-debug-ide
  sass-rails (~> 5.0.3)
  sentry-raven!
  tinymce-rails (~> 4.3.8)
  turbolinks (~> 2.5.3)
  uglifier (~> 2.7.1)
  web-console (~> 2.0)
  will_paginate (~> 3.0.7)

BUNDLED WITH
   1.10.6

Can you please help me understand what I need to do re the symlinks mentioned in the wiki.

Many thanks, Martin

[lgromanowski]

Hi,
sorry for late reply, I was a bit busy IRL. At this moment there are two ways of doing it 1st one is with symlinks (I've tested it sometime ago), and 2nd one with using same letsencrypt DB for each website (not tested, but I think it should work).

Letsencrypt plugin have to do authorization and do challenge/response for each domain separately - but there is one problem: letsencrypt plugin is running only in context of one website (domain), ie. the one without www prefix, the second one (with www prefix) has different instance and don't know about challenge request and it doesn't know how to respond to it. Therefore there are two ideas mentioned earlier how to solve this problem.

Symlinks

Let's say you have your website placed in /var/www directory: /var/www/newmarketscientific.com

Create symlink to it:

cd /var/www
ln -s newmarketscientific.com www.newmarketscientific.com

so directory structure will looks like:

+---- /var/www 
            |
            + --- newmarketscientific.com
                  ^ 
                  |
                  + --- www.newmarketscientific.com

setup your webserver so both of your sites will be visible from the Internet, and than run letsencryt_plugin in /var/www/newmarketscientific.com

Both challenges for newmarketscientific.com and www.newmarketscientific.com should be handled by newmarketscientific.com.

Using the same letsencrypt DB in both websites

You have two RoR applications: one in /var/www/newmarketscientific.com and second one in /var/www/www.newmarketscientific.com

Use the same DB settings (config/database.yml) in both applications, so if you run letsencrypt plugin in /var/www/newmarketscientific.com which trigger challenge request (and store it in DB), second application in /var/www/www.newmarketscientific.com will know how to respond.

Perhaps there is other/better way of doing this - I'm open for ideas.

Hope it helps.

[I-Am-Abacus]

I think you have misunderstood my problem. There are not two applications. The server is serving a single application, with DNS for both newmarketscientific.com and www.newmarketscientific.com pointing to the same IP address. This works fine under HTTP.

The problem turned out to be the "server" line of the NGINX config. I added www.newmarketscientific.com to this, and it now works.

There were no symlinks involved. Perhaps enhance the documentation to cover this situation?

Thanks, Martin