Correct approach for multiple domains - one cert or several?



I’m having lots of trouble getting multiple certificates working on my server, using CentOS 6 and Apache 2.2.15.

I have several domains, some with lots of subdomains - for example:

I had thought I should get separate certificates for each domain, so I tried this:

./certbot-auto --apache -d -d

./certbot-auto --apache -d -d

In both cases, I ultimately managed to get certs created:

Congratulations! You have successfully enabled and

Congratulations! You have successfully enabled and

However, I can’t get both certs working at the same time. Every time I tweak the individual virtual host config files and then try to reload, one works and one fails. The one that fails tells me the cert is only good for the other domain: uses an invalid security certificate. The certificate is only valid for the following names:,

My individual conf files look like this:


<VirtualHost *:80>
    DocumentRoot /var/www/vhost/cooldomain
    ErrorLog logs/cooldomain-error_log
    CustomLog logs/cooldomain-access_log common


<VirtualHost *:443>
    DocumentRoot /var/www/vhost/cooldomain
    ErrorLog logs/cooldomain-error_log
    CustomLog logs/cooldomain-access_log common

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/


Am I taking the right approach? Should I have a separate cert for each domain (1 for, one for, and so on)?

Or should I do the whole thing as one cert covering,, and all of their individual subdomains?

If I’m taking the right approach with one cert per domain, can you suggest any ways to track down the cause of the “only valid for the other domain” error messages? I’ve searched as many pages here and at other sites as I can, and nothing I’ve tried has helped.

Thank you very much.

By the way, is there any way to turn off the site’s search feature? It overrides my browser’s search and makes it impossible to use ordinary page search.


Hello @Kris7,

I suppose that is because you don’t have NameVirtualHost *:443 directive defined and/or your default-ssl config file doesn’t contain <VirtualHost *:443>.

Check what is defined for both directives, go to your apache root conf dir (/etc/apache or /etc/httpd or whatever it is on Centos 6) and execute these commands:

grep -ri VirtualHost *
grep -ri NameVirtualHost *

This will show if you have defined a VirtualHost with an ip or an * and the same for NameVirtualHost, you should have all of them as *:443.

Also, you should check the Apache error log files, maybe they will show you more info about the issue.

The approach is not right or wrong, it is up to you. Anyway, if you have a lot of subdomains you should take care of Let’s Encrypt rate limits, maybe for those, you want to add all of them in one cert instead of one per sub domain because you could reach the limits.

It is a feature of the forum software “Discourse”… you can press Ctrl-F twice and you will get what you want, the browser search bar but keep in mind that Discourse doesn’t show all the content of the page you are seeing so your browser couldn’t be accurate ;).


Two Domains, One IP - Second Domain Redirects to First Domain

Hi sahsanu,

Thank you so much for your very helpful reply!

Those specific grep commands gave me a lot to work with.

I had NameVirtualHost in my /etc/httpd/ports.conf file, but I changed it to NameVirtualHost *:443 just in case that would help. (It hasn’t, but it probably doesn’t hurt.)

I am seeing this in the logs:

[warn] _default_ VirtualHost overlap on port 443, the first has precedence

I will do some additional searching to see if I can find out how to fix that, but do you have any suggestions on how to resolve the overlap?

Thank you again. I really appreciate your help!


Hi @Kris7

Did you check your default-ssl conf file?, it could have a <VirtualHost _default_:443> directive. Change _default_ by * or if you don’t need that default-ssl conf file, disable it.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.