I am currently setting up my Nginx reverse proxies, maintained by me on 2 vServers, that each forward the http(s) traffic to a single Apache webserver, maintained by my webhoster.
Thus, I ended up with the following requirements for my certificates:
- proxy0 and proxy1 each require their own certificates for the domains example.com, example.de, example.eu, www.example.com, www.example.de and www.example.eu
- webserver0 and webserver1 each require their own certificate for the domains example.com and www.example.com
The private keys are different on each of these 4 systems.
My questions:
- Do I have to use the “–duplicate” option (https://certbot.eff.org/docs/using.html#command-line-options) for this use case?
- Does “–duplicate” have to be used as soon as two independent certificates need to be issued covering domains, of which at least one is identical?
If both questions are affirmed, I end up with these commands that will be executed on a fifth server:
/bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/ecdsa_prime256v1_00.csr --cert-path /srv/rsyncd88/ /bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/ecdsa_prime256v1_01.csr --cert-path /srv/rsyncd190/ /bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_00.csr --cert-path /srv/rsyncd88/ /bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_01.csr --cert-path /srv/rsyncd190/ /bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_02.csr --cert-path /srv/rsyncd88ub/ /bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_03.csr --cert-path /srv/rsyncd190ub/