How to create individual certificates for subdomains (generic or a mix of Ngnix/Apache)

MoBO · 2018-01-15 10:28:53 UTC

Hello,

I´m quite new using Let´s Encrypt and I wonder how I can create individual certificates for each subdomains I´m using.

I do have a main domain name (I will name it “mydomain.com” in the sample) and multiples subdomains according my needs.

Main : mydomain.com
Sub1 : sub1.mydomain.com
Sub2 : sub2.mydomain.com
Sub3 : sub3.mydomain.com

I tried to create them but I made some mistake then I´ve been stuck and I had to wait until all the certificates expires. I would like to avoid such testing as you can imagine.

I tried searching but did not found something clear enough for me.

Is anyone able to help me ?

Each certificates will be loaded by NGNIX (used as pure reverse-proxy) and Apache (for majority of subdomains).

Thanks in advance for you help and advices.

Patches · 2018-01-15 15:17:59 UTC

With the vast majority of Let’s Encrypt client software, including the recommended certbot client, you call the program once for each different certificate you want.

For instance, these three commands will obtain and install three certificates covering four different domain names:

# get one certificate for example.com AND www.example.com and install to nginx
sudo certbot -a webroot -i nginx -w /var/www/example.com -d example.com,www.example.com
# get a certificate for sub1.example.com and install to Apache
sudo certbot -a webroot -i apache -w /var/www/sub1.example.com -d sub1.example.com
# get a certificate for sub2.example.com and install to Nginx
sudo certbot -a webroot -i nginx -w /var/www/sub2.example.com -d sub2.example.com

While Let’s Encrypt does have some rate limits you may have run into, the longest these last is one week, so you shouldn’t have to wait months to try again.

When testing, pass the --dry-run option to certbot or the equivalent for the client you are using. This uses a special testing server known as the staging server which issues test certificates that are not trusted by browsers and has higher rate limits. This way you can test everything without running into limits, and when you have everything perfect you can remove --dry-run and get a real, trusted certificate.

Patches · 2018-01-15 15:26:54 UTC

Sorry for the double post, I missed this part and somehow got out of edit mode when I tried to quote you.

If you are running Apache and Nginx on the same server and reverse-proxying to Apache via Nginx, then you would only need to install a certificate into nginx.

If you are running Apache and Nginx on different servers, but still reverse-proxying to Apache via Nginx, you would still need to install a certificate into nginx. You may want to install a certificate into Apache as well if you do not trust the network that connects the two servers, so even the communication between Apache and Nginx is encrypted.

Of course, if Apache is running on a different server and listening directly and not proxied via Nginx then definitely install the certificate to it.

MoBO · 2018-01-15 15:46:59 UTC

Thanks you so much for your help.
I gonna try this and let you know !

system · 2018-02-14 15:47:05 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.