Difficulties with seperate certificates for multiple domains

#1

Hello,

my problem is, if i run certbot multiple times for multiple domains, only the last domain (certificate request) seems to be operational.

  1. certbot certonly --standalone --rsa-key-size 4096 -d example1.com
  2. certbot certonly --standalone --rsa-key-size 4096 -d example2.com

Also the files i.e. /etc/letsencrypt/live/example1.com are overwritten by /etc/letsencrypt/live/example2.com

My expectation would be, that both certificates (and their files unter /etc/letsencrypt/live/) could exist parallel.

Before trying this, i used a singel certificete for the multiple domains with all domains listed after -d option. This worked perfect, but does not fit my needs. I need a single certificate per domain.

I appreciate your help and hope i could make my point clear.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
falckenweb.de, wrangel-netz.de and some more
I ran this command:
see above
It produced this output:
dont know
My web server is (include version):
Apache 2.4
The operating system my web server runs on is (include version):
Ubuntu 18.2
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

1 Like
#2

What do

  • certbot certificates
  • ls -la /etc/letsencrypt/live
  • ls -la /etc/letsencrypt/archive

say?

#3

certbot certificates: shows only the certificate from the last invokation of the certbot command
/etc/letsencrypt/live: shows a folder for the domain from the last invokation of the certbot command (i.e. example2.com). The folder for example1.com has been removed.
/etc/letsencrypt/archive: above aplies for the archive too

#4

There is some information missing.

both your domains

have their own certificates with some subdomains. If you specify different --cert-name for each run, it should work. What are the actual commands you’re running and what’s in the ini file in /etc/letsencrypt?

backup the /etc/letsencrypt directory and use --staging to try, you will get ratelimited pretty soon.

1 Like
#5

sorry, but what information is missing ?

I tried now the command
certbot certonly --standalone --rsa-key-size 4096 --cert-name koettbullar.berlin -d koettbullar.berlin

to make an additional certificate for koettbullar.berlin, but my former file /etc/letsencrypt/live/falckenweb.de was deleted.

What are the actual commands you’re running
you can see the command in my first post and here as well

what’s in the ini file in /etc/letsencrypt?
there is no ini file. As posted above i am running Ubuntu, not Windows

#6

you’re not using docker, are you?

read this section please: https://certbot.eff.org/docs/using.html#configuration-file

1 Like
#7

no, i am not running docker … and i have no seperate configuration (ini) file

1 Like
#8

i wonder if my request is so special … probably my poor english led to not understanding my problem … if so, please let me know

1 Like
#9

It’s clear enough, it’s just that certbot is behaving in a completely absurd way and I have no ideas left.

Try another client maybe?

1 Like
#10

Hi @walter8

checking your first domain you have a lot of domain names - https://check-your-website.server-daten.de/?q=falckenweb.de - 25 domain names.

And the certificate is 89 days valid.

So your current configuration may work.

If you want to create certificates per domain (non-www and www), it’s good to have a matching port 80 vHost.

--standalone requires a free port 80. That can’t work if your webserver is running. That works if you stop your webserver.

That

sounds impossible. May be you check the wrong place. There

am-liebsten-essen.de, bangbang-marketing.com, de.icz-sicherheit.de, en.icz-sicherheit.de, eymajoh.de, falckenweb.de, icz-sicherheit.de, informationssicherheit-in-berlin.de, ingenieur-sicherheit-berlin.de, lists.falckenweb.de, mail.wrangel-netz.de, smtp.wrangel-netz.de, toothless-minka.com, umap-team.de, wrangel-netz.de, www.am-liebsten-essen.de, www.bangbang-marketing.com, www.eymajoh.de, www.falckenweb.de, www.icz-sicherheit.de, www.informationssicherheit-in-berlin.de, www.ingenieur-sicherheit-berlin.de, www.toothless-minka.com, www.umap-team.de, www.wrangel-netz.de

is your certificate with a lot of domain names.

And certonly doesn’t create a vHost and doesn’t install the certificate.

So your default vHost answers.

1 Like
#11

Hi @JuergenAuer,

thank you for your attention to my request.

Yes, my configuration with one singel certificate works perfect for over an year now for all my domains. All my domains have a corresponding port 80 vHost - so all good with this. And there is no need that certbot does create a vHost and does install it, because i do that on my own.

All i want to do is, to have two (or more later) certificates that run in parallel. My expectation would be that certbot stores the corresponding information for each certificate in folders /etc/letsencrypt/live/example1.com, /etc/letsencrypt/live/example2.com and so on.

Isn’t there a documentation/tutorial how to use certificates in parallel with one certbot installation ? Do i have to have different letsencrypt accounts for each certificate ?

I can not imagine that my desire for that is so unusal - but maybe i am worng.

I hope that i am not annoying anyone with my questions. I appreciate your help very much.

1 Like
#12

There is no storage in live, those are symbolic links. The storing happens in archive.

1 Like
#13

Hi @9peppe,

you are right. So i correct my sentence to
" My expectation would be that certbot stores the corresponding information for each certificate in folders /etc/letsencrypt/archive/example1.com, /etc/letsencrypt/archive/example2.com and so on. And that there are corresponding links under /etc/letsencrypt/live. "

But the problem remains …

1 Like
#14

You are doing something completely wrong (checking the wrong place).

Or you have a buggy configuration (multiple certbots, running certbot on the wrong machine, so port 80 isn’t used).

Using certbot doesn’t delete certificates if you create a new with --cert-name. Max. a certificate with the same name is overwritten. Nothing else.

1 Like
#15

oh my god … i have to appologize very, very much for wasting your time. As so often the problem is sitting in front of the screen :frowning:

I am using certbot inside a script where i make a backup of the /etc/letsencrypt folder, stops apache, on so on …

My mistake is, that my backup of /etc/letsencrypt is done by mv, not by cp (dont ask me what my idea was for that). So cerbot fount no /etc/letsencrypt folder and created everything new.

I found this in the logfile
“2020-03-24 13:47:54,523:DEBUG:certbot.storage:Creating directory /etc/letsencrypt/archive.
2020-03-24 13:47:54,524:DEBUG:certbot.storage:Creating directory /etc/letsencrypt/live.”

Again … i am very sorry for my mistake.

3 Likes
#16

cp is not so good either.

tar -cf "/backups/certbot-$(date +%F_%T).tar" "/etc/letsencrypt"

could be a better idea.

if you want compression there are a lot of options, -z for gzip and -J for xz being the most interesting.

1 Like
#17

A post was split to a new topic: SSL certificates on a fake sub domain