How to create one certificate for multiple domains in separate project folders?

My domains are:
Dev Server: dev.bookshelf.sun-asterisk.ph (already has a certificate)
Staging Server: stage.bookshelf.sun-asterisk.ph

I ran this command:
docker-compose up -d (staging)

It produced this output:
image

When I click the “Advanced” button, it redirects to my page but it is marked as “Not Secure” and that the certificate is invalid. It looks like it’s calling my dev server’s certificate.

Screen Shot 2020-01-27 at 4.40.02 PM

My web server is (include version): nginx:1.15-alpine (Used as image in docker)

The operating system my web server runs on is (include version): CentOS Linux 7 (Core)

My hosting provider, if applicable, is: dotPH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I'm using certbot as an image in docker

I am using docker with my Rails Application.

bookshelf_server

1 Like

Can you show the method that you are currently using to request certificates?

2 Likes

I followed this tutorial for getting a certificate for my dev server:

(1) I added nginx and certbot as services in my docker-compose.yml:

version: '3'
services:
//db:
//......
//web:
//......
  nginx:
    image: nginx:1.15-alpine
    restart: always
    volumes:
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    ports:
      - "80:80"
      - "443:443"
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
    depends_on:
      - web
  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

(2) I created an app.conf inside my data/nginx/ folder:

server {
    listen 80;
    server_name dev.bookshelf.sun-asterisk.ph;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name dev.bookshelf.sun-asterisk.ph;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/dev.bookshelf.sun-asterisk.ph/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev.bookshelf.sun-asterisk.ph/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass  http://dev.bookshelf.sun-asterisk.ph:3000;
        proxy_set_header    Host 		$http_host;
	proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto	$scheme;
	proxy_set_header    X-Forwarded-Ssl     on; # Optional
	proxy_set_header    X-Forwarded-Port    $server_port;
  	proxy_set_header    X-Forwarded-Host    $http_host;
        client_max_body_size                    4g;
   }
}

(3) I pulled a file called init-letsencrypt.sh from here https://raw.githubusercontent.com/wmnnd/nginx-certbot/master/init-letsencrypt.sh

(4) And lastly, I ran the file init-letsencrypt.sh using the following command:
sudo init-letsencrypt.sh

Addition:
I only added the dev.bookshelf.sun-asterisk.ph in the domain list because the configuration is inside the dev project folder. If I add the stage.bookshelf.sun-asterisk.ph in the domains, I get the wrong output:

  • I can only access stage.bookshelf.sun-asterisk.ph when the dev server if running up (docker-compose up -d).
  • The contents of the stage.bookshelf.sun-asterisk.ph is wrong. It’s using the same db as the dev server.

I’m wondering if I should create one certificate for both domains or create one for each.

1 Like

@CharlotteDS,

Thank you for providing those scripts and configs. You may have better success using the following as replacements for your nginx container. The benefit of this is that you can easily run an arbitrary number of vhosts (dev, staging, etc) behind a single nginx container and give them each certificates.

  • jwilder/nginx-proxy
    • nginx-proxy sets up a container running nginx and docker-gen. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped.
  • JrCs/docker-letsencrypt-nginx-proxy-companion
    • letsencrypt-nginx-proxy-companion is a lightweight companion container for the nginx-proxy. It allows the creation/renewal of Let’s Encrypt certificates automatically.

If you don’t want to check those out, I’d try a distinct nginx+app for both dev and staging. You may even be able to template this meaning you pass in an environment variable and docker would start nginx+dev_app, nginx+staging_app, or nginx+whatever_app.

3 Likes

Thank you for your response.
I will try these out and see if I am able to work with it.

2 Likes

I am now using the suggested setup and it is working perfectly fine.
Thank you very much for your help. :grin:

2 Likes