I have a CentOS7 server with nginx running. I have two domains on a certificate currently and want to add an additional two domains now at a later date. How can I add them in?
I have tried running -expand as specified in the documentation:
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
I’ve also tried creating a new certificate for just the new domains.
@schoen So I should be ignoring/not worrying about running the -expand option?
Okay, so I tried opening the file, and no wonder it's broken. It had no contents in the file at all, i'm not sure why that is? I did also notice that there was a newdomain.io-0001.conf file as well. This one has contents inside of it and I will paste them below:
`# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/newdomain.io-0001/cert.pem
privkey = /etc/letsencrypt/live/newdomain.io-0001/privkey.pem
chain = /etc/letsencrypt/live/newdomain.io-0001/chain.pem
fullchain = /etc/letsencrypt/live/newdomain.io-0001/fullchain.pem
Okay, I tried copying the contents from the -0001.conf to the empty one.
I then ran the above command with no errors and it showed success. I reloaded nginx and still showing not secure for the domain.
The contents of newdomain.io.conf file are below (I just removed the -0001 from the path names):
`# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/newdomain.io/cert.pem
privkey = /etc/letsencrypt/live/newdomain.io/privkey.pem
chain = /etc/letsencrypt/live/newdomain.io/chain.pem
fullchain = /etc/letsencrypt/live/newdomain.io/fullchain.pem
Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 62f3099187531d92b9c15bd17ebc7872
[[webroot_map]] newdomain.io = /var/www/newdomain.io/html www.newdomain.io = /var/www/newdomain.io/html `
That is going to horribly confuse Certbot unless you also removed the -0001 everywhere that it appeared (which maybe is what you were saying that you did—I'm not sure whether you meant that you removed it in the file itself or just in the version that you posted here).
Basically the
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
is the most likely explanation for the fact that your new domain still doesn't appear in HTTPS. Configuring nginx to use a certificate is a separate, independent step from obtaining the certificate. (When you obtain the certificate, it's just a file on disk and nginx doesn't know about it—even if you configured it in one virtual host, nginx doesn't automatically realize that it should be used for other virtual hosts too!) So, you would need to edit your virtual host configuration for the insecure host to point it at this certificate in the way that you may have done with your original certificate.
Because of the issue about the -0001, I would suggest running certbot certificates to see which certificates you have and see if they match up with your expectations, as well as whether one or both is actually used by nginx. You can potentially delete the one that isn't the one that you wanted, in order to reduce future potential confusion (the recommended way is to use certbot delete, after using a grep -r in /etc/nginx to make sure that there are no references to the certificate that you're planning to delete).
Regarding the 0001.conf and possible confusion. Yes, that is what I was trying to say I did. I deleted the 0001.conf file and moved the contents to the empty one and removed the -0001 from everywhere.
I have tried running certbot certificates but it is returning: certbot: error: unrecognized arguments: certificates
What you are saying does make sense though and I have made some progress!
Within my /etc/nginx/conf.d path I have a ssl.conf file.
I have added in my new domain to the server_name and voila it is now showing up as secured!
Buttt, there is one issue still. When I load the new domain although it is secured it is showing the content of the other domains.
When I look inside the ssl.conf I see in the server block for the root path, ssl_certificate and ssl_certificate_key it is set to the other domain. Is it possible to add two paths?
Below is the content within ssl.conf domains have been changed to olddomain and newdomain
server {
listen 443 http2 ssl;
server_name olddomain.net www.olddomain.net olddomain.ca www.olddomain.ca newdomain.io www.newdomain.io;
ssl_certificate /etc/letsencrypt/live/olddomain.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/olddomain.net/privkey.pem;
########################################################################
# from https://cipherli.st/ #
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
########################################################################
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
##################################
# END https://cipherli.st/ BLOCK #f
##################################
ssl_dhparam /etc/ssl/certs/dhparam.pem;
location ~ /.well-known {
allow all;
}
# The rest of your server block
root /var/www/olddomain.net/html;
index index.php index.html index.htm;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
In that case you have a pretty old Certbot, which might also explain why it can't install this certificate in nginx for you.
It looks like what you did was to combine all of your virtual hosts into one configuration stanza (that server { ... block inside your ssl.conf file that you posted).
In order to have domains show different content, they need to be the subjects of separate server { directives in nginx. That is true even if they are HTTPS sites and even if they are covered by the same certificate. You would need to make one server block for the old domain and a separate server block for the new domain, while both can point to the same fullchain.pem and privkey.pem file if your certificate now covers both domains. Then, the other directives such as root that tell nginx where to look for the site content can be different between one server and another.
There are more advanced nginx configuration techniques that could in principle allow only a single server block (where there would be conditional directives that change the document root according to what domain name was accessed), but I would not suggest trying to figure any of that stuff out, but instead simply making separate server blocks for each separate domain with separate content.
nginx is able to figure out which server block is applicable to a particular inbound connection on the basis of the specified hostname (in SNI for HTTPS or using the Host: header for HTTP) even when the various server blocks request listening on the same port number and same IP address.
Okay, great!
So I can duplicate that full block above and place it under the initial block within the same ssl.conf file and that should do the trick? Will try when I get home to see if it worked, just wanted to confirm that I am understanding it correctly.
It’s become more fashionable to put the server blogs in separate files because it makes it easier to enable and disable individual sites and to see which sites you have (particularly on servers that may host dozens or hundreds of different sites). But yes!
Of course, you need to make the root point to the document root for the other document, or apply any other configuration directives that make the domains’ behavior different from one another.
Also, we’re wondering about the reason for the empty renewal configuration file. If you don’t know why it was empty, would you be willing to share your logs from /var/log/letsencrypt in case they might reveal the reason?
