LetsEncrypt / PageKite problem?

Development
1

Summary
Invalid SSL certificate for my vhost

Problem
I bought a year of PageKite and a domain name from namecheap.
I sucessfully configured PageKite and added CNAME entries in my registrar.
https is now working for my website “www.shorehub.us” and I can browse
to www.shorehub.us/plinth from the internet with a secure connection and the dislayed certificate in my browser is correct for “www.shorehub.us”.
It gets a ‘B’ rating from SSL Server Test: www.shorehub.us (Powered by Qualys SSL Labs)

With that working, I now added some CNAME entries for subdomains “zot”, “hub”, etc on my registrar and would like to have a couple subdomain vhosts such as zot.shorehub.us in addition to the www.shorehub.us.

However, I’ve not been able to generate a correct/working LetsEncrypt SSL cert.
Don’t know whether its a freedombox problem or a PageKite.net problem.
This web tutorial shows that it’s possible to run multiple subdomain vhosts with SSL through a pagekite.

I wanted to reserve the www.shorehub.us vhost for freedombox apps like /plinth or /calibre etc. Am trying to install hubzilla which needs to be installed in top domain or subdomain with no subpaths.

Ran standard certbot command to generate certificate for subdomain zot.shorehub.us
with apache path at /var/ww/hubzilla

Blockquote

certbot --apache --expand -w /var/www/hubzilla -d zot.shorehub.us -m myemail@mydomain --agree-tos --non-interactive --redirect --hsts --uir

Browsing to “zot.shorehub.us” shows invalid certificate issued to "freedombox:

Common Name (CN) freedombox
Organization (O)
Organizational Unit (OU)

Issued By

Common Name (CN) freedombox
Organization (O)
Organizational Unit (OU)

Validity Period

Issued On Thursday, January 21, 2021 at 2:15:29 PM
Expires On Sunday, January 19, 2031 at 2:15:29 PM

Fingerprints

SHA-256 Fingerprint
7E 46 E8 D4 C6 5B A6 82 91 1B A2 25 43 3F E7 DB AD A9 8D DF E7 BE FD 84 B8 B0 72 11 A8 CB 89 FD
SHA-1 Fingerprint
9D 1C 7A FC 7F 5A 68 91 BD C1 A7 15 AF C1 AF B4 2A 2C 26 59

SSLlabs reports first chain of certificate belongs to pagekite.net
and next belongs to freedombox *mismatch

https://www.ssllabs.com/ssltest/analyze.html?d=zot.shorehub.us

Solution

Screenshots/Layouts
Namecheap CNAME configurations for subdomains

Namecheap
Namecheap1079×330 17.2 KB

PageKite.net kites:

PageKite
PageKite1079×330 72.7 KB

FreedomBox LetsEncrypt certs:

FreedomBox_Certs
FreedomBox_Certs1022×558 58.9 KB

Blockquote

cat /etc/pagekite.d/80_http.rc

service_on = http:@kitename:localhost:80:@kitesecret
service_on = http:www.shorehub.us:localhost:80:@kitesecret
service_on = http:zot.shorehub.us:localhost:80:@kitesecret

Blockquote

cat /etc/pagekite.d/443_https.rc

service_on = https:@kitename:localhost:443:@kitesecret
service_on = https:www.shorehub.us:localhost:443:@kitesecret
service_on = https:zot.shorehub.us:localhost:443:@kitesecret

Alternatives
(Description of any alternatives and why they were not chosen.)

Tasks
(A breakdown of tasks involved in implementing the solutions if available at the time of proposal.)

2

Just noticed something - your DNS entries at Namecheap value entries contain dashes instead of dots, could this be causing DNS to not resolve properly?

3

The PageKite instructions said that if you needed https, then you had to use a dash b/c https was limited somehow to under 3 dots in the domain name. HTTP would work with something like mydomain.mydomain.pagekite.me but HTTPS would not because there are 3 periods. They recommended using mydomain-mydomain.pagekite.me instead.

Anyhow, I think my DR and PageKite configuration are all working correctly.

What I’ve not been able to figure out yet is how to modify the apache2 configuration to allow subdomain/vhosts. The FreedomBox configures (in /etc/apache2/conf-enabled) the apache2 server to rewrite all URI to /plinth or /APP.

That works fine for the FreedomBox apps. But hubzilla is required to be installed in the top domain root and not some subpath to function properly. I’ve managed to get hubzilla working in a subpath like the /APP but normal users would consider the functionality broken.

Basically if I navigate to www.mydomain.com/hubzilla I get sent to https://mydomain.com/plinth and https shows valid SSL cert hubzilla.mydomain.com.
Now that the browser is connected with a valid cert to my site, I can backspace and replace /plinth by eg. /channel/hubzilla-user or /network or /manage, /settings, etc and the hubzilla server will generate the correct page for the given URI for the currently authenticated/logged-in hubzilla user. Most would consider this workaround broken and unusable.

I’ve been working my way through the apache2 conf-available configurations trying to learn apache2. I’m not an apache2 guru. Made a copy of my current working apache2 config and am playing with a testing config.

I did clone some hubzilla identities/profiles from my main hubzilla server to the FreedomBox hubzilla server. One of the profiles/channels which I cloned had in excess of 100 rss connections, which the hubzilla admin instructions warn is resource intensive and is disabled by default. Anyhow, the FreedomBox could not manage the workload and became unresponsive. No ssh access nor browser access to /plinth. So I had to remove the problematic cloned identiy/profile/channel from the FreedomBox hubzilla server.

I’ve got an old ATX 32-bit computer that was giving me Machine Check Errors and so is gathering dust, but it’s got Terabytes of new WD SATA drives and a $300+ PSU, so maybe I’ll build a modern home server and salvage the PSU and tower case. Had just finished setting up full luks hd encryption with btrfs raid before system began displaying signs of ill health. Well, think I got my money’s worth out the the ancient system, LOL.

Then I’ll just need to proxy hubzilla connections from the FreedomBox to the new server. Still think I’ll need to get FreedomBox apache2 configured to allow subdomains/vhosts as I think that ProxyPass’ing < freedombox >/hubzilla to < towerserver > listening on port :443 for hubzilla.mydomain.com is still going to have the same broken functionality unless I can ProxyPass < freedombox >hubzilla.mydomain.com to < towerserver >hubzilla.mydomain.com

So am shopping for server mb for atx case with at least 4 sata ports and hopefully a couple NvME slots as well for OS on raid. Or maybe just a separate eSATA external enclosure with 4 bays and connect it to a smaller footprint server.