Error from logs:
[ssl:warn] [pid 625] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
This warning indicates the SSL certificate does not include Subject Alternative Names (SANs) for all the domains being served.
Talishar currently serves multiple domains:
talishar.net(main domain)www.talishar.net(www subdomain)api.talishar.net(API backend)fe.talishar.net(Frontend)legacy.talishar.net(Legacy site)
The current SSL certificate is either:
- ❌ Only issued for a single domain (e.g.,
www.example.com) - ❌ Missing Subject Alternative Names (SANs) for all subdomains
- ❌ Placeholder certificate not matching production domains
Use Let's Encrypt (recommended for open source projects - it's free):
# Install Certbot if not already installed
apt-get install certbot python3-certbot-apache
# Generate certificate for all domains (single certificate)
certbot certonly --apache \
-d talishar.net \
-d www.talishar.net \
-d api.talishar.net \
-d fe.talishar.net \
-d legacy.talishar.net
# Follow the prompts to validate domain ownershipThis creates certificates at:
/etc/letsencrypt/live/talishar.net/fullchain.pem(certificate)/etc/letsencrypt/live/talishar.net/privkey.pem(private key)
openssl x509 -in /etc/letsencrypt/live/talishar.net/fullchain.pem -text -noout | grep -A1 "Subject Alternative Name"Expected output:
Subject Alternative Name:
DNS:talishar.net, DNS:www.talishar.net, DNS:api.talishar.net, DNS:fe.talishar.net, DNS:legacy.talishar.net
Create /etc/apache2/sites-available/talishar-ssl.conf:
# Main domain with all subdomains
<VirtualHost *:443>
ServerName talishar.net
ServerAlias www.talishar.net api.talishar.net fe.talishar.net legacy.talishar.net
# SSL Configuration
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/talishar.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/talishar.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/talishar.net/chain.pem
# Modern SSL configuration
SSLProtocol TLSv1.2 TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
# HSTS (Strict Transport Security)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Proxy to Docker container
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
# Logging
ErrorLog ${APACHE_LOG_DIR}/talishar-error.log
CustomLog ${APACHE_LOG_DIR}/talishar-access.log combined
</VirtualHost>
# Redirect HTTP to HTTPS
<VirtualHost *:80>
ServerName talishar.net
ServerAlias www.talishar.net api.talishar.net fe.talishar.net legacy.talishar.net
Redirect permanent / https://talishar.net/
</VirtualHost>a2enmod ssl
a2enmod proxy
a2enmod proxy_http
a2enmod headers
a2ensite talishar-ssl
a2dissite 000-default # Disable default site if applicable
# Test configuration
apache2ctl configtest
# Should output: Syntax OK
# Reload Apache
systemctl reload apache2Let's Encrypt certificates expire after 90 days. Auto-renew them:
# Test renewal (dry run)
certbot renew --dry-run
# Enable automatic renewal (runs daily)
systemctl enable certbot.timer
systemctl start certbot.timer
# Check renewal status
certbot renew --status# View cert details
openssl x509 -in /etc/letsencrypt/live/talishar.net/fullchain.pem -text -noout
# Check expiration
openssl x509 -in /etc/letsencrypt/live/talishar.net/fullchain.pem -noout -dates
# Verify SANs are present
openssl x509 -in /etc/letsencrypt/live/talishar.net/fullchain.pem -text -noout | grep DNS# Test HTTPS on main domain
curl -I https://talishar.net
# Test HTTPS on subdomains
curl -I https://api.talishar.net
curl -I https://fe.talishar.netShould return HTTP 200 without SSL warnings.
# Monitor Apache error log
tail -f /var/log/apache2/talishar-error.log
# Should NOT see:
# [ssl:warn] AH01909: ... server certificate does NOT include an IDImportant: This Docker container (web-server in docker-compose.yml) serves HTTP only (port 8080).
The SSL/HTTPS layer is handled by:
- Development: Browsers don't validate SSL for
localhost - Production: Reverse proxy (Apache/Nginx on host) handles SSL termination
User HTTPS Request
↓
Host Machine (Apache) - Handles SSL/TLS
↓
Docker Container (HTTP, port 8080) - Serves content
-
Clear Apache cache:
systemctl restart apache2
-
Clear browser cache:
- Open DevTools (F12) → Application → Certificates
- Or use:
Ctrl+Shift+Delete(Chrome/Firefox)
-
Verify with different tool:
openssl s_client -connect talishar.net:443 -servername talishar.net
Ensure:
- DNS records point to server IP
- Firewall allows port 80 (HTTP for validation)
- No duplicate certificate conflicts
certbot certificates # List all certs
certbot delete --cert-name talishar.net # Remove conflicting certCheck for syntax errors:
apache2ctl configtestIf there are errors, review the config file syntax.
✅ Implemented in above config:
- ✅ TLS 1.2 and 1.3 only (no outdated SSLv3, TLS 1.0, 1.1)
- ✅ Strong cipher suites
- ✅ HSTS header (forces HTTPS for 1 year)
- ✅ All subdomains covered by single certificate
- ✅ Automatic renewal (never expires)
Add to monitoring/alerting:
- Certificate expiration (check 30 days before)
- HTTPS availability on all domains
- SSL error logs
# Manual check of certificate expiration
openssl x509 -in /etc/letsencrypt/live/talishar.net/fullchain.pem -noout -dates