How to add a list of domains

Help
1

My domain is: pbx7.numbercard.co.uk

I ran this command: ./letsencrypt.sh & up it’s and ruuning beautifully

It produced this output: it works perfectly fine

My web server is (include version):

The operating system my web server runs on is (include version): Linux letsencrypt 3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64 GNU/Linux

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): fusionpbx

Hello everyone,

How can I get it to look at a list of domains? I have both pbx7.numbercard.co.uk & pbx8.numbercard.co.uk certificates in place, if I interchage them, (see config below) they both work but only one at a time, how can I get them both working at the same time? As I want to add more. Thank you.

erver {
listen 443;
server_name fusionpbx;
ssl on;
ssl_certificate /etc/dehydrated/certs/pbx7.numbercard.co.uk/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/pbx7.numbercard.co.uk/privkey.pem;

2

Maybe I can help you. I am also first time to work with letsencrypt.

I recommend you try to use the offical application certbot. It’s very userful and easy. The url is:certbot

The certbot supprot for pbx7.numbercard.co.uk & pbx8.numbercard.co.uk on the same time. And it’s simple.

Also, it support *.domain.com, but it needs one more step. You should add a TXT record to your domain records(on the DNS server control panel).

For exaple,

# on Ubuntu 18.04, you can run
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

After installed, run: $ sudo certbot certonly

It will show:

$ certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Then, choose 1: standalone,I recommand you choose 1. Because 2 is a little difficult.

Maybe The official guide is more detailed than my description. I solved most problems according to the offcial site guider: certbot.

3

Hello iwj,

Thanks for your reply, I did do some digging around certbot last night but when I ran the cmd’s it failed so said to myself I would revisit as I’m interested in the auto-renewal, but as all the certificates are contained in the same folder I’m pretty sure some like Juergen Auer will know how to mod the conf file, but I do like your Idea for wildcard that would save all the head ace of doing them one by one.

4

Where did you get this file from?

5

Juergen Auer also helped me some days ago. He’s a very nice gentleman.
Unfortunately, I have not helped you solve the problem perfectly. Perhaps, other users will help you solve this issue.
In my question, some senior people responded to me. The certbot engineer also replied to me.

6

It was part of the installation used, found in (root@letsencrypt:/usr/src/fusionpbx-install.sh/debian/resources/)
You can remove what's not needed.

chmod +x letsencrypt.sh

#!/bin/sh

FusionPBX - Install

Mark J Crane markjcrane@fusionpbx.com

Copyright (C) 2018

All Rights Reserved.

#move to script directory so all relative paths work
cd "$(dirname "$0")"

#includes
. ./config.sh

#remove dehyrdated letsencrypt script
#rm -R /etc/dehydrated/
#rm /usr/local/sbin/dehydrated
#rm -R /usr/src/dehydrated
#rm -R /usr/src/dns-01-manual
#rm -R /var/www/dehydrated

#request the domain name, email address and wild card domain
read -p 'Domain Name: ' domain_name
read -p 'Email Address: ' email_address

#get and install dehydrated
cd /usr/src && git clone GitHub - dehydrated-io/dehydrated: letsencrypt/acme client implemented as a shell-script – just add water
cd /usr/src/dehydrated
cp dehydrated /usr/local/sbin
mkdir -p /var/www/dehydrated
mkdir -p /etc/dehydrated/certs

#wildcard detection
wilcard_domain=$(echo $domain_name | cut -c1-1)
if [ "$wilcard_domain" = "*" ]; then
wilcard_domain="true"
else
wilcard_domain="false"
fi

#remove the wildcard and period
if [ .$wilcard_domain = ."true" ]; then
domain_name=$(echo "$domain_name" | cut -c3-255)
fi

#manual dns hook
if [ .$wilcard_domain = ."true" ]; then
cd /usr/src
git clone GitHub - sebastiansterk/dns-01-manual: A manual implementation for DNS-01 challenge hook used in dehydrated
cd /usr/src/dns-01-manual/
cp hook.sh /etc/dehydrated/hook.sh
chmod 755 /etc/dehydrated/hook.sh
fi

#copy config and hook.sh into /etc/dehydrated
cd /usr/src/dehydrated
cp docs/examples/config /etc/dehydrated
#cp docs/examples/hook.sh /etc/dehydrated

#update the dehydrated config
#sed "s#CONTACT_EMAIL=#CONTACT_EMAIL=$email_address" -i /etc/dehydrated/config
sed -i' ' -e s:'#CONTACT_EMAIL=":CONTACT_EMAIL=$email_address:' /etc/dehydrated/config
sed -i' ' -e s:'#WELLKNOWN="/var/www/dehydrated":WELLKNOWN="/var/www/dehydrated":' /etc/dehydrated/config

#accept the terms
dehydrated --register --accept-terms --config /etc/dehydrated/config

#set the domain alias
domain_alias=$(echo "$domain_name" | head -n1 | cut -d " " -f1)

#create an alias when using wildcard dns
if [ .$wilcard_domain = ."true" ]; then
echo "*.$domain_name > $domain_name" > /etc/dehydrated/domains.txt
fi

#add the domain name to domains.txt
if [ .$wilcard_domain = ."false" ]; then
echo "$domain_name" > /etc/dehydrated/domains.txt
fi

#request the certificates
if [ .$wilcard_domain = ."true" ]; then
dehydrated --cron --domain *.$domain_name --alias $domain_alias --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh
fi
if [ .$wilcard_domain = ."false" ]; then
dehydrated --cron --alias $domain_alias --config /etc/dehydrated/config --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge http-01
fi

#make sure the nginx ssl directory exists
mkdir -p /etc/nginx/ssl

#update nginx config
sed "s@ssl_certificate /etc/ssl/certs/nginx.crt;@ssl_certificate /etc/dehydrated/certs/$domain_alias/fullchain.pem;@g" -i /etc/nginx/sites-available/fusionpbx
sed "s@ssl_certificate_key /etc/ssl/private/nginx.key;@ssl_certificate_key /etc/dehydrated/certs/$domain_alias/privkey.pem;@g" -i /etc/nginx/sites-available/fusionpbx

#read the config
/usr/sbin/nginx -t && /usr/sbin/nginx -s reload

#setup freeswitch tls
if [ .$switch_tls = ."true" ]; then

    #make sure the freeswitch directory exists
    mkdir -p /etc/freeswitch/tls

    #make sure the freeswitch certificate directory is empty
    rm /etc/freeswitch/tls/*

    #combine the certs into all.pem
    cat /etc/dehydrated/certs/$domain_alias/fullchain.pem > /etc/freeswitch/tls/all.pem
    cat /etc/dehydrated/certs/$domain_alias/privkey.pem >> /etc/freeswitch/tls/all.pem
    #cat /etc/dehydrated/certs/$domain_alias/chain.pem >> /etc/freeswitch/tls/all.pem

    #copy the certificates
    cp /etc/dehydrated/certs/$domain_alias/cert.pem /etc/freeswitch/tls
    cp /etc/dehydrated/certs/$domain_alias/chain.pem /etc/freeswitch/tls
    cp /etc/dehydrated/certs/$domain_alias/fullchain.pem /etc/freeswitch/tls
    cp /etc/dehydrated/certs/$domain_alias/privkey.pem /etc/freeswitch/tls

    #add symbolic links
    ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/agent.pem
    ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/tls.pem
    ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/wss.pem
    ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/dtls-srtp.pem

    #set the permissions
    chown -R www-data:www-data /etc/freeswitch/tls

fi

7

To serve the same content?
You need to use both names in the same vhost file

You many need to read up on how to dehydrated "works".

Or independent from each other?
That requires independent vhost configs (one per name) and independent certs (one per name).

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.