3

I'm really more of a front-end dev so server config stuff is very new territory for me, sorry if this is an easy question!

I'm running into some trouble trying to get my certbot-auto to generate an SSH key for multiple domains, pointing to one box.

I have 3-4 domains (domain1.net, domain2.io, domain3.me, domain4.codes), which are all pointing to the same Digital Ocean droplet.

Previously ( couple months back ), I had attempted this with letsencrypt directly ( no certbot at that time ). Somehow, I got SSL working for all my domains, but they recently expired and I'm now seemingly only able to renew domain1.net and not the rest.

I tried the following command:

./certbot-auto certonly -a webroot --agree-tos -w /var/www/domain1.net/public_html/ \--expand -d domain1.net,www.domain1.net,domain2.io,www.domain2.io,domain3.me,www.domain3.me,domain4.codes,www.domain4.codes

...which SEEMED to work, I got the following:

| Saving debug log to /var/log/letsencrypt/letsencrypt.log │ │ Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org │ │ Cert not yet due for renewal │ │ Renewing an existing certificate │ │ Performing the following challenges: │ │ http-01 challenge for domain1.net │ │ http-01 challenge for www.domain1.net │ │ http-01 challenge for domain2.io │ │ http-01 challenge for www.domain2.io │ │ http-01 challenge for domain3.me │ │ http-01 challenge for www.domain3.me │ │ http-01 challenge for domain4.codes │ │ http-01 challenge for www.domain4.codes │ │ Using the webroot path /var/www/domain1.net/public_html for │ │ all unmatched domains. │ │ Waiting for verification... │ │ Cleaning up challenges │ │ Generating key (2048 bits): │ │ /etc/letsencrypt/keys/0012_key-certbot.pem │ │ Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain1.net/fullchain.pem. Your cert will expire on 2017-02-20. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

.. OK Great! however, only domain1.net and www.domain1.net seem to be working... the other domains claim to not be using HTTPS!

I'm also seeing multiple files in the /etc/letsencrypt/live/ directory.. I had attempted to get this working previously ( using letsencrypt directly, not via certbot ) and had it working until today, when they expired and refused to renew. this is what I see inside that directory:

tom@Personal:/opt$ sudo ls -la /etc/letsencrypt/live/ total 20 drwx------ 5 root root 4096 Nov 22 18:22 . drwxr-xr-x 8 root root 4096 Nov 22 18:22 .. drwxr-xr-x 2 root root 4096 Nov 22 18:41 domain1.net drwxr-xr-x 2 root root 4096 Oct 16 00:00 domain1.net-0001 drwxr-xr-x 2 root root 4096 Nov 22 18:22 www.domain1.net

hmm.. not sure why there are multiple entries in there. shouldn't there just be one?

Anyway -- I'm not well versed enough with HTTPS / keys / NginX to figure this out and am ripping my hair out. I just want to get my SSL keys:

  1. working for all the above domains
  2. auto-renewing via certbot-auto renew

and not exactly sure where I am messing up here... any help is MUCH appreciated!

EDIT: this is what my server config block looks like in nginx:

server { # listen 80 default_server; # listen [::]:80 default_server ipv6only=on; # START LETS ENCRYPT ADDITIONS: listen 443 ssl; server_name domain1.net www.domain1.net domain2.io www.domain2.io domain3.me www.domain3.me domain4.codes www.domain4.codes; ssl_certificate /etc/letsencrypt/live/www.domain1.net/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/www.domain1.net/privkey.pem; # managed by Certbot ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; # /END LETS ENCRYPT ADDITION root /var/www/domain1.net/public_html; index index.php index.html index.htm; # FOR LETSENCRYPT AUTO-RENEWAL, we must give it access to /.well-known location ~ /.well-known { allow all; } # /END LETSENCRYPT AUTO_RENEWAL location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; # Uncomment to enable naxsi on this location # include /etc/nginx/naxsi.rules }
Improve this question

1 Answer 1

Reset to default
4

Just wanted to follow up - I got this working!

Turns out my command was correct but I was misusing the -dflag -- it needs to be applied for each domain separately. So the corrected command:

./certbot-auto certonly -a webroot --agree-tos -w /var/www/domain1.net/public_html/ \--expand -d domain1.net,www.domain1.net -d domain2.io,www.domain2.io -d domain3.me,www.domain3.me -d domain4.codes,www.domain4.codes
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Great! But what if you have over 100 domains? Could you still do it this way through 1 certificate with lets encrypt? I understand if you don't know the answer.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.