Correct approach for multiple domains - one cert or several?

Hi,

I’m having lots of trouble getting multiple certificates working on my server, using CentOS 6 and Apache 2.2.15.

I have several domains, some with lots of subdomains - for example:

cooldomain.com
niftydomain.com
superdomain.com
test1.superdomain.com
test2.superdomain.com
staging.superdomain.com
editing.superdomain.com
www.superdomain.com
weirdjavaapp.superdomain.com

I had thought I should get separate certificates for each domain, so I tried this:

./certbot-auto --apache -d cooldomain.com -d www.cooldomain.com

./certbot-auto --apache -d niftydomain.com -d www.niftydomain.com

In both cases, I ultimately managed to get certs created:

Congratulations! You have successfully enabled https://cooldomain.com and
https://www.cooldomain.com

Congratulations! You have successfully enabled https://niftydomain.com and
https://www.niftydomain.com

However, I can’t get both certs working at the same time. Every time I tweak the individual virtual host config files and then try to reload, one works and one fails. The one that fails tells me the cert is only good for the other domain:

www.niftydomain.com uses an invalid security certificate. The certificate is only valid for the following names: cooldomain.com, www.cooldomain.com

My individual conf files look like this:

cooldomain-com.conf

<VirtualHost *:80>
    DocumentRoot /var/www/vhost/cooldomain
    ServerName cooldomain.com
    ServerAlias www.cooldomain.com
    ErrorLog logs/cooldomain-error_log
    CustomLog logs/cooldomain-access_log common
</VirtualHost>

cooldomain-com-le-ssl.conf

<VirtualHost *:443>
    DocumentRoot /var/www/vhost/cooldomain
    ServerName cooldomain.com
    ServerAlias www.cooldomain.com
    ErrorLog logs/cooldomain-error_log
    CustomLog logs/cooldomain-access_log common

SSLCertificateFile /etc/letsencrypt/live/cooldomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cooldomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/cooldomain.com/chain.pem
</VirtualHost>

So:

Am I taking the right approach? Should I have a separate cert for each domain (1 for niftydomain.com, one for cooldomain.com, and so on)?

Or should I do the whole thing as one cert covering niftydomain.com, cooldomain.com, superdomain.com and all of their individual subdomains?

If I’m taking the right approach with one cert per domain, can you suggest any ways to track down the cause of the “only valid for the other domain” error messages? I’ve searched as many pages here and at other sites as I can, and nothing I’ve tried has helped.

Thank you very much.

By the way, is there any way to turn off the site’s search feature? It overrides my browser’s search and makes it impossible to use ordinary page search.

Hello @Kris7,

I suppose that is because you don't have NameVirtualHost *:443 directive defined and/or your default-ssl config file doesn't contain <VirtualHost *:443>.

Check what is defined for both directives, go to your apache root conf dir (/etc/apache or /etc/httpd or whatever it is on Centos 6) and execute these commands:

grep -ri VirtualHost *
grep -ri NameVirtualHost *

This will show if you have defined a VirtualHost with an ip or an * and the same for NameVirtualHost, you should have all of them as *:443.

Also, you should check the Apache error log files, maybe they will show you more info about the issue.

The approach is not right or wrong, it is up to you. Anyway, if you have a lot of subdomains you should take care of Let's Encrypt rate limits, maybe for those, you want to add all of them in one cert instead of one per sub domain because you could reach the limits.

It is a feature of the forum software "Discourse"... you can press Ctrl-F twice and you will get what you want, the browser search bar but keep in mind that Discourse doesn't show all the content of the page you are seeing so your browser couldn't be accurate ;).

Cheers,
sahsanu

1 Like

Hi sahsanu,

Thank you so much for your very helpful reply!

Those specific grep commands gave me a lot to work with.

I had NameVirtualHost 23.253.94.42:443 in my /etc/httpd/ports.conf file, but I changed it to NameVirtualHost *:443 just in case that would help. (It hasn’t, but it probably doesn’t hurt.)

I am seeing this in the logs:

[warn] _default_ VirtualHost overlap on port 443, the first has precedence

I will do some additional searching to see if I can find out how to fix that, but do you have any suggestions on how to resolve the overlap?

Thank you again. I really appreciate your help!

Hi @Kris7

Did you check your default-ssl conf file?, it could have a <VirtualHost _default_:443> directive. Change _default_ by * or if you don’t need that default-ssl conf file, disable it.

Cheers,
sahsanu

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.