Host multiple domains with a single certificate

Hello,

I ran into this article that offers a possible workaround to host multiple sites without a wildcard. Can anyone advise if this functionality still exists with certbot-auto? Is there a way I can install ‘letsencrypt’ to achieve this?

Thanks!

1 Like

Hi @jgatkins2002,

certbot is the new name for letsencrypt and it’s still possible to get a certificate covering multiple domains.

If you know at the outset what domains you want to be included in the certificate, it’s not necessary to edit any configuration files. Instead, you can specify the domains on the command line when you first run certbot. For example, you might run something like

certbot-auto -d one.example.com -d two.example.com -d three.example.com -d example.org

This will request a certificate covering all of those names. When renewing the certificate with certbot-auto renew, it will be replaced with a new certificate that still covers all of the names.

1 Like

THANK YOU so much!

One more minor question… I have previously requested certs for the sites individually. What should I do to ensure that I can smoothly request updated certs? Do I need to individually revoke each one before requesting this umbrella cert? I really do appreciate your help and patience! I am a newbie to some of this.

Thank you~
Jackie

There’s no requirement to revoke the earlier certificates; if you’d like, you can just allow them to expire.

You might want to double check the rate limits at

https://letsencrypt.org/docs/rate-limits/

to see if there are any that you would be in danger of hitting in your situation. (Revoking old certificates does not reset or affect the Let’s Encrypt rate limits.)

Assuming you’re not going to hit any rate limits by doing so, you can just issue a new certificate that covers all of your domains. The biggest problem that I see is simply that it may be confusing to have the old certificates and the new certificates around at the same time. In a future version of Certbot, there will be a “certificate manager” to help deal with situations like this, but it’s not done yet!

If you can delete the existing certificates without breaking your web server, you might want to do that. The safest approach might be something like sudo mv /etc/letsencrypt /etc/letsencrypt.old so that you have a backup of your old certificates and keys, but they are no longer actively used by Certbot. However, that might cause problems with your web server configuration if the server is currently set up to use your existing Let’s Encrypt certificates.

I’m sorry for the limitations in existing versions of Certbot that can make this kind of situation a bit confusing.

You are MOST helpful and I cannot tell you how much I appreciate it.

I am a but confused about what could break, however. Would you mind providing feedback on the approach I am planning to take? I was thinking I could just delete all of the old certs and update all of my sites-available/*conf files to utilize the updated certs. I am not really sure what else I would need to change/anticipate. Also, will this method allow me to issue the ‘certonly’ option so that I can manually update all of the conf files?

I am so sorry for so many questions. This has become a high priority and I am just trying to make sure that I understand in order to avoid issues.

THANK YOU!

Are you using Apache? Were you using the Apache installer before to automatically update your Apache configurations?

Hello,

I am using apache. I used the ‘certonly’ option and updated my configs
manually.

Thanks!

Hello again!

I think this might be the solution that I need. The only problem is, when I created the inclusive cert, it named it using one of the subdomains. Can I somehow get the cert named something other than one of the the subdomains? This is an issue because it will be very confusing in our present setup.

THANKS!!!

@jgatkins2002, do you mean “named it” in terms of what you see what you view it in the browser, or “named it” in terms of what it’s called within /etc/letsencrypt?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.