For all of those running multiple sites and having stress with renewals

I started let’s encrypt a few months ago, and my first renewal came up.

the ./letsencrypt-auto renew --dry-run command always came up with one vhost ( i am running three) missing.

When checking apache2, all three were fine.

After a lengthy search, i came up with a post saying that let’s encrypt only supports one vhost per ssl.conf-file (non ssl seems to be fine running all three in one file).

To ensure nobody has that problem, i am posting this. Open your default-ssl.conf - file (or whatever it’s called) in an editor and make one file for every vhost you are running.

Save them, then a2dissite the default-ssl file (e.g. a2dissite default-ssl) and a2ensite your seperate vhost files (e.g. a2ensite your-first-website, a2ensite your-second-website and so on…)

The restart your apache and run the renewal command. worked perfectly fine after that!

Good luck, everybody!

You're confusing things. The only time the multi-vhosts issue should come up with renewal is if you've changed your vhosts since you created the certs. You shouldn't have been able to create the certs in the first place if you had multiple vhosts in a single file (using the --apache flag).

That's not an issue, it's just telling you the primary domain for the SAN, the others are still there. You have three domains all in the one certificate, you'd only be displayed all three if they were in separate certificates.

Yeah, the documentation in that regard is woefully inadequate. And it's ridiculous that multiple vhosts causes the client to fail.

But I'm not sure what you mean by "non-ssl seems to be fine". It's perfectly fine to have all your vhosts in a single file regardless of whether you use ssl or not (my vhosts has both ssl and non-ssl sites and I use Let's Encrypt). It's just the --apache flag won't work with multiple vhosts in a single file. I created my certs with certonly and --webroot, and I didn't have to have my vhosts split into multiple files.

I'm not sure what you did to be able to create the certs using --apache but then need to alter your vhosts for renewal. That shouldn't be the case.

But I'm glad it's working for you!

Not true. The error specificly mentioned the last (third one), no other error was thrown. That threw me off in the first place. Domain one and two were fine, only third domain seemed to be the problem.[quote="DarkSteve, post:2, topic:15490"]
But I'm not sure what you mean by "non-ssl seems to be fine".
[/quote]

The default vhost file for non-ssl (port 80) supported all three in one file, makes sense, caus LE doesn't change anything in there.

Me neither. But in case someone else stumbles over this, I hope this post can help :slight_smile:

According to Brett Miller in this thread:
This is a recent change in the letsencrypt client. The documentation has always stated that it does not support multiple vhosts per file. But it worked anyway until the latest version

That would explain it!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.