Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wellword.ru; keyword.picture

I ran this command: certbot for wellword.ru works fine

It produced this output: -

My web server is (include version): nginx +gunicorn

The operating system my web server runs on is (include version): ubuntu

My hosting provider, if applicable, is: reg.ru

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.16.0

I have two domain names pointing at the same IP, how can I have https on both of them? How the only one is working (wellword.ru)

Hi @dsh91698 and welcome to the forum.

Should be keyword.pictures with the "s" on the end.
Is it possible the TLD was misspelled or a typo was used on your attempt to obtain a certificate?
Or is it possible you forgot to add keyword.pictures to your certificate request?

Both domains and aliases can be named on one certificate, OR one certificate can name keyword.pictures and a second certificate can name wellword.ru with their respective aliases.
Hope I am explaining it right.

Yes, you are absolutely right. It is "keyword.pictures"
I use certbot a month ago for wellword.ru and HTTPS is working now ok.
I added a new domain name and would like to add HTTPS cert for it, but have no idea how to do it the right way. So, I didn't do any commands yet

You can use the same certbot command for keyword.pictures to obtain it's certificate. It should work pretty much like the original command did for wellword.ru.

If successful, you will have two seperate certificates which is OK.
Remember to use keyword.pictures AND www.keyword.pictures as your (alias) when you make your request.

Copy your command and output in case you have any problems so we can help you debug. You should do fine though.... good luck.

Looks like you got it running!
I can access the site without error!

Hi @dsh91698 and welcome to the LE community forum

The most basic answer is to use SNI within the web server software to handle domain names via specific virtual host configuration files and then secure each domain individually.
[this is nothing new and all current web servers support it]

How to secure them (once HTTP is working for multiple names) is also a very basic function of most ACME clients and most include the automatic creation of the necessary secured virtual host configs.
[but you need HTTP working for all names first]

Guys, a day after one domain lost its HTTPS. I can see both certs valid but wellword.ru show warning and point at another cert for keyword.pictures

OK so we'll need to see some configuration info...
Can you show the output of:

nginx -T

configuration file /etc/nginx/sites-enabled/wellword.conf:

server {
# listen on port 80 (http)
listen 80;
server_name _;
location / {
# redirect any requests to the same URL but on https
return 301 https://$host$request_uri;
}
}
server {
# listen on port 443 (https)
listen 443 ssl;
server_name _;

# location of the self-signed SSL certificate
ssl_certificate /etc/letsencrypt/live/wellword.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wellword.ru/privkey.pem;

ssl_certificate /etc/letsencrypt/live/keyword.pictures/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/keyword.pictures/privkey.pem;

Thank you ...
Please show:

certbot certificates

Found the following certs:
Certificate Name: keyword.pictures
Serial Number: 41fba2a365e012349202cd3cc09d715b0a8
Key Type: RSA
Domains: keyword.pictures
Expiry Date: 2021-09-15 17:00:31+00:00 (VALID: 86 days)
Certificate Path: /etc/letsencrypt/live/keyword.pictures/fullchain.pem
Private Key Path: /etc/letsencrypt/live/keyword.pictures/privkey.pem
Certificate Name: wellword.ru
Serial Number: 3f622d8b26ed9e7744aa97241ac005bcb41
Key Type: RSA
Domains: wellword.ru www.wellword.ru
Expiry Date: 2021-08-05 09:28:30+00:00 (VALID: 44 days)
Certificate Path: /etc/letsencrypt/live/wellword.ru/fullchain.pem
Private Key Path: /etc/letsencrypt/live/wellword.ru/privkey.pem

Great! Thanks... And one more please.

configuration file /etc/nginx/sites-enabled/keyword.pictures.conf

There is only one .conf in sites_enabled and both certs are there

location of the self-signed SSL certificate

ssl_certificate /etc/letsencrypt/live/wellword.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wellword.ru/privkey.pem;

ssl_certificate /etc/letsencrypt/live/keyword.pictures/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/keyword.pictures/privkey.pem;

I see. I'm not a nginx expert per-say, but I would declare server names instead of using the default server declaration.

Maybe @griffin or @rg305 will correct me if I am in error.

I would also separate the two configs to simplify the configuration.

For example, your config file for wellworld.ru is trying to serve both certificates. (Not my preferred way to do it.)

IMHO you should create an identical configuration file for keyword.pictures.
you could:

1). Copy config for other host:

cp /etc/nginx/sites-available/wellword.ru.conf  /etc/nginx/sites-available/keyword.pictures.conf

2).
/etc/nginx/sites-enabled/wellword.ru.conf
edit server_name _; to server_name wellword.ru; (with the simi-colon)

Comment out the cert paths for :
#ssl_certificate /etc/letsencrypt/live/keyword.pictures/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/keyword.pictures/privkey.pem;

3).
/etc/nginx/sites-available/keyword.pictures.conf
edit server_name _; to server_name keyword.pictures; (with the simi-colon)

Comment out the cert paths for :
#ssl_certificate /etc/letsencrypt/live/wellword.ru/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/wellword.ru/privkey.pem;

4. Link to the keyword.pictures folder:

ln -s  /etc/nginx/sites-available/keyword.pictures.conf /etc/nginx/sites-enabled/

5). Reload nginx

 sudo service nginx reload

Let us know how it works out please.

Where did you learn to do this?
[I have never seen anything like this work in the way you expect]

I think @dsh91698 ran the same command based on my post. (assumptions are not good)

But I don't recall certbot functioning this way? I am not familiar enough with nginx to understand certbot's behavior in this scenerio.

It might be possible that, having no other vhost to modify, certbot was forced to use the single (default) vhost twice.
This of course is NOT a good thing; as nginx will likely use the first cert (of the requested type) for all requests (which includes both names).

Step #1 (get HTTP working) was mangled and forced to work for multiple unique names.

The only thing that could conceivably work while continuing down this path, is to use one single cert with all the names on it - that would scale up until the cert SAN limit is reached (100 entries).
But it really fails to provide unique content per each domain name used - they would all use the same document root.
So it is clearly NOT something I would recommend.
I recommend (as @Rip suggested) fixing the vhost configs into well defined and separate files first.

I made separate .conf files, one for wellword.ru and another for keyword.pictures.
I keep it in sites_enabled folder (not in sites_available with simlinks to sites_enabled)
But, unfortunately, nothing happends after nginx reload

OK Thanks @dsh91698

Since there has been some changes, can you please show the updated:

configuration file /etc/nginx/sites-enabled/wellword.conf
and
configuration file /etc/nginx/sites-enabled/keyword.pictures.conf
and output from:

sudo nginx -T

Welcome to the Let's Encrypt Community

Make that:

sudo nginx -T

to be on the safe side.