Domain again unprotected if further domain is protected

I have three domains on a virtual server that I want to protect with certbot. If I execute the command below for e.g. stokkr.de, it will be protected successfully. If I now execute the command for another domain (dev-online.de), I get the message NET::ERR_CERT_COMMON_NAME_INVALID in my browser for stokkr.de.

How can I protect several domains with their own certificate? Or does it make sense to use one certificate for all domains? If so, how can I best configure this?

My domain is:
stokkr.de

I ran this command:
certbot --apache -d dev-online.de -d www.dev-online.de

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/dev-online.de.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dev-online.de
http-01 challenge for www.dev-online.de
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /var/www/vhosts/system/dev-online.de/conf/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /var/www/vhosts/system/dev-online.de/conf/httpd-le-ssl.conf
Enabling available site: /var/www/vhosts/system/dev-online.de/conf/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /var/www/vhosts/system/dev-online.de/conf/httpd-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Enhancement redirect was already set.
Enhancement redirect was already set.

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://dev-online.de and
https://www.dev-online.de

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=dev-online.de
https://www.ssllabs.com/ssltest/analyze.html?d=www.dev-online.de

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/dev-online.de/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/dev-online.de/privkey.pem
  Your cert will expire on 2020-06-30. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the “certonly” option. To non-interactively renew all of
  your certificates, run “certbot renew”

• Some rewrite rules copied from
  /etc/apache2/plesk.conf.d/vhosts/dev-online.de.conf were disabled
  in the vhost for your HTTPS site located at
  /var/www/vhosts/system/dev-online.de/conf/httpd-le-ssl.conf because
  they have the potential to create redirection loops.

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

My web server is (include version):
Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04.4 LTS‬

My hosting provider, if applicable, is:
1&1 IONOS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Not for this task – but Plesk Obsidian 18.0.25

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.27.0

Hi @maximilianfixl,

Would it be possible for you to use Plesk for this task? In general, Plesk and Certbot are not designed to be used together when administering the same web service, and they can sometimes conflict.

If you add your domains into Plesk, you should be able to issue certificate for that domain.
Plesk reload their Apache/Nginx regularly and any changes to virtualhost configuration files will be ignored.

FYI: you can also secure your Plesk server domain (the interface) with Let’s Encrypt extension on Plesk. https://support.plesk.com/hc/en-us/articles/213954265-How-to-secure-a-Plesk-hostname-on-port-8443-with-an-SSL-certificate-Let-s-Encrypt-other-certificate-authorities-

Thank you

Thanks for your answer. That’s exactly what I’ve been doing. But since I want to use the automatic renewal of certificates and not update the acme_challenge entry in the DNS every time, I wanted to switch to certbot on the console.
Is there a way to use the auto-renewal feature once you have assigned the certificates in Plesk?

Nope, I’m afraid the two will continue to be incompatible even when you’ve used Plesk initially.

To make sure I got it right: I can’t secure multiple domains with certbot on one server with one or more certificates if I added the domains with Plesk? However, I can secure every single domain I added in Plesk with the LetsEncrypt Plesk extension, but in this case I cannot renew automatically?

this depends on the extension itself, does it have autorenew features?

Plesk (screenshot) will show that the certificate is automatically renewed. The problem is that I receive an email notification that the certificate could not be renewed. Now it is necessary that I store the key in the DNS entry. And this is exactly the point I want to automate.

Schnappschuss_040120_105049_AM1689×971 96.3 KB

Ok, you need a dns plugin for that client.

Or you can move to http validation (if you don’t need a wildcard certificate, it’s advisable you do.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.