Apache plugin misconfiguration, how to fix it


#1

I’m using Apache2 as a reverse proxy for my different tomcat web servers.
I first create a certificate by using the apache plugin (–test-cert) for one site by using its DNS domain name (confluence.projet-okinawa.ch).
Note that I disabled the generated site (xxx-le-ssl.conf) and recreated and enabled a virtual host configuration confluence.projet-okinawa.ch.conf by copy/paste the letsencrypt parameters into mine (port redirection, proxy).
Everything was working fine.
I decided to add a second site. Because the sites url are different I used the FQDN of my server (os-vs276.projet-okinawa.org) as the first domain name for the certificate and added the two supplemental domains (multi domains).
Letsencrypt was somewhat lost because no os-vs276.projet-okinawa.org was defined as a ServerName.
I created a site configuration for os-vs276.projet-okinawa.org that will be used as a default web site.
Letsencrypt let created a new certificate for both domains into. In /etc/letsencrypt/live I have now two directories (os-vs276.projet-okinawa.org+confluence.projet-okinawa.ch).
When I added a new domain again (-d os-vs276.projet-okinawa.org -d confluence.projet-okinawa.ch -d jira.projet-okinawa.ch), letsencrypt ask me to expand and add the new certificate in confluence.projet-okinawa.ch instead of os-vs276.projet-okinawa.org. It takes systematically confluence.projet-okinawa.ch.conf as the reference from apache.

Is it a way to generate the new key by using the apache plugin (I will add server one by one for testing) in /etc/letsencrypt/live/os-vs276.projet-okinawa.org that is more relevant ?

Even without apache plugin, with certonly --standalone plugin the certificate and keys still stored in the bad directory (bad for me).

ubuntu@os-vps276:/opt/letsencrypt$ ./letsencrypt-auto certonly --standalone --test-cert -d os-vps276.projet-okinawa.org -d confluence.projet-okinawa.ch -d jira.projet-okinawa.ch -d www.projet-okinawa.ch -d openam.projet-okinawa.ch -d repo.projet-okinawa.ch --standalone-supported-challenges http-01 --http-01-port 9999 --renew-by-default --email support@projet-okinawa.ch --agree-tos
Checking for new version…
Requesting root privileges to run letsencrypt…
sudo /home/ubuntu/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --test-cert -d os-vps276.projet-okinawa.org -d confluence.projet-okinawa.ch -d jira.projet-okinawa.ch -d www.projet-okinawa.ch -d openam.projet-okinawa.ch -d repo.projet-okinawa.ch --standalone-supported-challenges http-01 --http-01-port 9999 --renew-by-default --email support@projet-okinawa.ch --agree-tos

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/confluence.projet-okinawa.ch/fullchain.pem.
    Your cert will expire on 2016-07-25. To obtain a new version of the
    certificate in the future, simply run Let’s Encrypt again.

Cannot revoke and create new SSL certificate