Creating separate domain/cert groups on same server with multiple IPs


#1

I am trying to set up certificates such that on a single server:

The sites are functional, with IP1 having Let’s Encrypt SSL cert attached to it.
IP2 currently doesn’t have any certs bound to it.

I saw this in searching:

… and it seemed to suggest that I should be able to create multiple ACME accounts, so I ran this command:

# certbot register -m user@example.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
There is an existing account; registration of a duplicate account with this command is currently unsupported.

My web server is (include version): Apache 2.4.27

The operating system my web server runs on is (include version): Ubuntu 17.10

I can login to a root shell on my machine

I am not using a control panel to manage my site.

How should one go about having two separate groups of certificates?


#2

Certbot doesn’t need multiple accounts for multiple certificates. Unless you want to have the cert ‘coupled’ to a different email address.

I didn’t know the command doesn’t actually work by the way. The documentation if certbot didn’t mention it.


#3

Hi @ADFHogan,

I did not use it myself so I don’t know if it works smoothly but you can do the following:

1.- Rename your original accounts directory:

mv /etc/letsencrypt/accounts/ /etc/letsencrypt/accounts.original

2.- Register a new account with a new mail:

certbot register -m user@example.com

3.- Copy the contents of original accounts dir to the new created one:

cp -prf /etc/letsencrypt/accounts.original/* /etc/letsencrypt/accounts/

Now you should have 2 accounts:

ls -l /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/
total 8
drwx------ 2 root root 4096 Sep 30 19:05 xxxxxxxxxxxxxxx123456789aaaaaaaa/
drwx------ 2 root root 4096 Dec 29 11:45 yyyyyyyyyyyyyyy987654321bbbbbbbb/

If you want to create a new certificate you should specify the right account with --account parameter:

Example:

certbot certonly --account yyyyyyyyyyyyyyy987654321bbbbbbbb --webroot -w /var/www/letsencrypt/ -d your.domain.tld

As the account info is saved into the renewal conf files /etc/letsencrypt/renewal/* a certbot renew command should work to renew the existing certificates with the right account.

As @Osiris said, certbot can manage multiple certificates and doing this will add complexity to the process.

Disclaimer: I did not test this procedure so do it at your own risk… and before doing anything, backup your /etc/letsencrypt/ dir… just in case :stuck_out_tongue:

Cheers and Happy Holidays,
sahsanu


#4

@Osiris - correct, I would like to keep the domains on one IP grouped together and registered with one email address distinct from the domains on the other IP and its email address.

@sahsanu - I’ll give that a go and report back :slight_smile:


#5

@sahsanu - it looks like it’s worked, in that the new account created, then I moved old account back, created new certs explicitly quoting new account, and then checked in renewal conf and confirmed differing account UUIDs.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.