GetSSL and SAN certifcates


Looking at the documentation I think GetSSL works on a per host basic and can’t generate SAN certifiactes… but I could be misreading, is this correct?

And the apache config changes need to be done manually? Not an issue per se.


the GetSSL page - is generally the best place to get specific help on it ( as with any client ). I often check on here though, so I’ll continue here :slight_smile:

You can specify SANS in the getssl.cfg file for the domain. The limit is 100 domains per certificate (and the domains don’t need to be related )

# Additional domains - this could be multiple domains / subdomains in a comma separated list,,,,,,

Correct, you would need to make the changes to apache manually.


OK, so they don’t all have to be “”? one could have,, etc?



(added text … just because there is a 20 char limit)


OK, dumb question No. 2

What 's the Acme Challenge Location?

Sites here are stored in /var/www/html/
Though for instance there are some symlinks ie /var/www/html/ is a symlink to /var/www/html/


it’s basically your rot directory for the domain with /.well-known/acme-challenge on the ended usually. i.e. the place you would need to stire a file for it to show up at in the browser

It doesn’t matter if you use the symlink or not, so in the example above it would be either
(since both go to the same place effectively).

You will need to have an ACL for every domain / SAN in your certificate.


OK, but it doesn’t matter if the location is actually the same place after a symlink is followed?


Nope, all that’s going to happen is Let’s Encrypt will try to access from somewhere out on the Internet and they need to find the content made by getssl to prove you control, putting files in a directory is just one easy way to achieve that.


OK, I think we’re cooking- Thanks guys.

I guess a "tes"t certificatefrom the staging server would produce the following in Firefox-

Your connection is not secure

The owner of has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.


Yes - if you check who signed it, it will be “Fake Let’s Encrypt” or something similar. That means everything is set up / working nicely - so just change to the live LE server, and force the issuance of a new cert ( use the -f or --force option ).


Just have a minor apache config issue the find before trying to go live.

Stopping httpd: [ OK ]
Starting httpd: [Fri Nov 25 16:38:11 2016] [warn] default VirtualHost overlap on port 443, the first has precedence
[ OK ]


That looks like something in your edit of the apache config. I’d do a grep for 443 in all the configs, and see where you have the ones for “default” rather than a specific domain name.


A missing-
NameVirtualHost *:443



Not quite :frowning:
Seems apache is serving the certificate defined in ssl.comf and not the specific one Iin the domain’s conf-

ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

If I cheat ans change this default to listen on port 444 then the correct certificate is served.


can you paste your complete ssl.conf and domain conf ( for apache ) at (or somewhere else where I can see the raw file easily ). This forum formats some of it (alternatively enclose here in 3 backticks on the line before and the line after the paste ).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.