Certbot: Not getting separate certificates

we have a dedicated Server with Debian 8.5 and Apache running.

When using Command:

certbot --apache -w /var/www/domain1/ -d domain1.com

https works fine for domain1

When repeating that for domain2:

certbot --apache -w /var/www/domain2/ -d domain2.com

https for domain1 will not work anymore (Browser says certificate does not match domain). And https for domain2 works now.

What happend?
Obviously certbot has overwritten the first certificate instead of creating a second one for domain2.

So how to manage to get two different certificates for domain1 and domain2 in this scenario?

No, almost certainly that is not what's happened. What's most likely happened is that certbot created a new certificate for domain2.com, but then changed your apache configuration to only use that certificate. You have two options that I can see:

  • Adjust your Apache config to use the correct cert for each hostname, if you want to use SNI
  • Create a single cert covering all hostnames you want to use ('certbot --apache -w /var/www/domain1 -d domain1.com -w /var/www/domain2 -d domain2.com')

How To do that? What means SNI?

And: if i follow your Option 2 : what is the difference To my way (See above)? And won't that result in one certificate for multiple Domains (which would work but is not a good solution, because Users See wrong Domain in certificate Details as there is only the Main Domain shown)

Yes, it will result in one certificate for multiple domains. This will not cause an error. If your users are going to be checking out the certificate details even without seeing an error, noticing that the "common name" field doesn't match the hostname they're using, but not be savvy enough to recognize that a cert can cover more than one hostname, I'd think they're pretty unique. Why do you think your users will be checking out the certificate details of your site? Why do you think they'd be concerned that the CN field doesn't match the domain?

For an example of how it would look, visit start [danb35's Wiki]. The "subject" or "cn" of that cert is a different domain, but you don't get any indication or warning of that unless you specifically go digging.

As to your other question, http://lmgtfy.com/?q=apache+sni+configuration

I agree with @danb35 that this is what has probably happened. However, Certbot should not be doing this. It should be updating the Apache configuration in a way that allows both certificates to work at the same depend.

If you're able to figure out what has happened by looking at the Apache configuration, it would be helpful for us to know because it might be a bug in Certbot.

which part of apache configuration do you need?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.