If I understand your question here, you have multiple virtualhosts for a number of subdomains, but you want a single certificate with a single wildcard hostname for all those subdomains. And certbot is asking you which nginx virtualhosts you want the certificate to be applied to, which is "YES" in all of those questions, right? Or does it ask for a list of virtualhosts? (I don't have experience with this issue to be honest.)
I'm not sure if certbot has that option. It doesn't have a separate "virtualhost" parameters to use in combination with a single wildcard certificate.
However, something I just thought of: perhaps you could run certbot twice? Once with certonly
to issue the certificate with the wilcard without actually installing it and running it a second time with certbot install
but this time with multiple -d
options? This might trigger the nginx
installer to automatically install the cert at the right virtualhosts. You should (or could, don't know if it's necessary) use --cert-name
with the same certificate name for both runs, so certbot knows which certificate to install.
Edit: The above seems to work. I already had a wildcard certificate (expired, but that doesn't seem to matter to certbot ) for example.com
(not that hostname obvious, but redacted it It's a 1:1 change, all other things are actually true ) and I tried to install it:
server nginx # certbot install --nginx --cert-name example.com -d foo.example.com -d bar.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator None, Installer nginx
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf
After that there were a bunch of errors about nginx not being able to listen on port 80, which is very true, as Apache was already running.. But it shows it's able to install the certificate perfectly. Without the --cert-name
, it asked me which certificate I wanted to install, so I recommend that you use that too.
Also, please note that you should use persistant storage for server instances, so you don't issue new certificates every time the same instance comes up after it might been taken down. There are rate limits preventing this kind of abuse to the Let's Encrypt servers, so make sure once you've gotten a valid certificate, you store it persistantly so it can get used again when the same server instance for that domain is spun up again.