Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Should be keyword.pictures with the "s" on the end.
Is it possible the TLD was misspelled or a typo was used on your attempt to obtain a certificate?
Or is it possible you forgot to add keyword.pictures to your certificate request?
Both domains and aliases can be named on one certificate, OR one certificate can name keyword.pictures and a second certificate can name wellword.ru with their respective aliases.
Hope I am explaining it right.
Yes, you are absolutely right. It is "keyword.pictures"
I use certbot a month ago for wellword.ru and HTTPS is working now ok.
I added a new domain name and would like to add HTTPS cert for it, but have no idea how to do it the right way. So, I didn't do any commands yet
You can use the same certbot command for keyword.pictures to obtain it's certificate. It should work pretty much like the original command did for wellword.ru.
If successful, you will have two seperate certificates which is OK.
Remember to use keyword.pictures AND www.keyword.pictures as your (alias) when you make your request.
Copy your command and output in case you have any problems so we can help you debug. You should do fine though.... good luck.
Hi @dsh91698 and welcome to the LE community forum
The most basic answer is to use SNI within the web server software to handle domain names via specific virtual host configuration files and then secure each domain individually.
[this is nothing new and all current web servers support it]
How to secure them (once HTTP is working for multiple names) is also a very basic function of most ACME clients and most include the automatic creation of the necessary secured virtual host configs.
[but you need HTTP working for all names first]
server {
# listen on port 80 (http)
listen 80;
server_name _;
location / {
# redirect any requests to the same URL but on https
return 301 https://$host$request_uri;
}
}
server {
# listen on port 443 (https)
listen 443 ssl;
server_name _;
# location of the self-signed SSL certificate
ssl_certificate /etc/letsencrypt/live/wellword.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wellword.ru/privkey.pem;
ssl_certificate /etc/letsencrypt/live/keyword.pictures/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/keyword.pictures/privkey.pem;
2). /etc/nginx/sites-enabled/wellword.ru.conf edit server_name _; to server_name wellword.ru; (with the simi-colon)
Comment out the cert paths for : #ssl_certificate /etc/letsencrypt/live/keyword.pictures/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/keyword.pictures/privkey.pem;
3). /etc/nginx/sites-available/keyword.pictures.conf edit server_name _; to server_name keyword.pictures; (with the simi-colon)
Comment out the cert paths for : #ssl_certificate /etc/letsencrypt/live/wellword.ru/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/wellword.ru/privkey.pem;
It might be possible that, having no other vhost to modify, certbot was forced to use the single (default) vhost twice.
This of course is NOT a good thing; as nginx will likely use the first cert (of the requested type) for all requests (which includes both names).
Step #1 (get HTTP working) was mangled and forced to work for multiple unique names.
The only thing that could conceivably work while continuing down this path, is to use one single cert with all the names on it - that would scale up until the cert SAN limit is reached (100 entries).
But it really fails to provide unique content per each domain name used - they would all use the same document root.
So it is clearly NOT something I would recommend.
I recommend (as @Rip suggested) fixing the vhost configs into well defined and separate files first.
I made separate .conf files, one for wellword.ru and another for keyword.pictures.
I keep it in sites_enabled folder (not in sites_available with simlinks to sites_enabled)
But, unfortunately, nothing happends after nginx reload