Creating separate domain/cert groups on same server with multiple IPs

ADFHogan · December 29, 2017, 6:14am

I am trying to set up certificates such that on a single server:

IP1 serves sites example1.com and example2.net.
IP2 serves sites example3.org and example4.biz

The sites are functional, with IP1 having Let's Encrypt SSL cert attached to it.
IP2 currently doesn't have any certs bound to it.

I saw this in searching:

... and it seemed to suggest that I should be able to create multiple ACME accounts, so I ran this command:

# certbot register -m user@example.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
There is an existing account; registration of a duplicate account with this command is currently unsupported.

My web server is (include version): Apache 2.4.27

The operating system my web server runs on is (include version): Ubuntu 17.10

I can login to a root shell on my machine

I am not using a control panel to manage my site.

How should one go about having two separate groups of certificates?

Osiris · December 29, 2017, 9:01am

Certbot doesn’t need multiple accounts for multiple certificates. Unless you want to have the cert ‘coupled’ to a different email address.

I didn’t know the command doesn’t actually work by the way. The documentation if certbot didn’t mention it.

sahsanu · December 29, 2017, 11:27am

Hi @ADFHogan,

I did not use it myself so I don’t know if it works smoothly but you can do the following:

1.- Rename your original accounts directory:

mv /etc/letsencrypt/accounts/ /etc/letsencrypt/accounts.original

2.- Register a new account with a new mail:

certbot register -m user@example.com

3.- Copy the contents of original accounts dir to the new created one:

cp -prf /etc/letsencrypt/accounts.original/* /etc/letsencrypt/accounts/

Now you should have 2 accounts:

ls -l /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/
total 8
drwx------ 2 root root 4096 Sep 30 19:05 xxxxxxxxxxxxxxx123456789aaaaaaaa/
drwx------ 2 root root 4096 Dec 29 11:45 yyyyyyyyyyyyyyy987654321bbbbbbbb/

If you want to create a new certificate you should specify the right account with --account parameter:

Example:

certbot certonly --account yyyyyyyyyyyyyyy987654321bbbbbbbb --webroot -w /var/www/letsencrypt/ -d your.domain.tld

As the account info is saved into the renewal conf files /etc/letsencrypt/renewal/* a certbot renew command should work to renew the existing certificates with the right account.

As @Osiris said, certbot can manage multiple certificates and doing this will add complexity to the process.

Disclaimer: I did not test this procedure so do it at your own risk… and before doing anything, backup your /etc/letsencrypt/ dir… just in case

Cheers and Happy Holidays,
sahsanu

ADFHogan · December 30, 2017, 1:44pm

@Osiris - correct, I would like to keep the domains on one IP grouped together and registered with one email address distinct from the domains on the other IP and its email address.

@sahsanu - I’ll give that a go and report back

ADFHogan · December 30, 2017, 2:02pm

@sahsanu - it looks like it’s worked, in that the new account created, then I moved old account back, created new certs explicitly quoting new account, and then checked in renewal conf and confirmed differing account UUIDs.

system · January 29, 2018, 2:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.