How to move from old single site LetsEncrpt to multiple sites

My domain is: isbd.uk plus several new ones

My web server is (include version): apache2

The operating system my web server runs on is (include version): ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don't know): yes

I have been running Letsencrypt for many years on isbd.uk which is a virtual server running Ubuntu 18.04 on Gandi Internet. I have root access etc.

It's an old LetsEncrypt installation, I have just been running letsencrypt-auto to update the certificate when I'm notified about expiration. (it''s so old it uses python virtual environments)

I want to add some more web sites to the apache server as virtual domains, so I need certificates for them. I gather it's possible to use a single certificate for multiple sites but that's as far as my knowledge goes.

What's going to be the easiest way to migrate to a modern LetsEncrypt/Certbot installation that will support multiple domains?

Hi @chrisisbd

add the required port 80 vHosts. Typical: One vHost per domain with the main domain and the www subdomain.

Then create one certificate with two domain names.

Relevant: One vHost -> one certificate with the same list of domain names.

You can, but you shouldn't. A certificate can have max. 100 domain names.

But you shouldn't, because mixing different domains in one certificate makes it more complicated to manage such a system (adding new domains).

If you have one certificate per main domain, you can add more domains without touching these working certificates.

JuergenAuer [1]JuergenAuer Community leader
February 5
chrisisbd:

 I want to add some more web sites to the apache server as virtual
 domains, so I need certificates for them.

add the required port 80 vHosts. Typical: One vHost per domain with the
main domain and the www subdomain.

Yes, OK, I'm fairly familiar with the apache2 configuration.

Then create one certificate with two domain names.

Relevant: One vHost -> one certificate with the same list of domain
names.

This is where I get lost. By "one certificate with two domain names"
do you mean with domains abcxyz.com and www.abcxyz.com, or do you mean
with abcxyz.com and my existing isbd.uk ?

... and how do I create the certificate? I have just been blindly
renewing my single isbd.uk certificate for years using letsencrypt-auto.

Should I remove the existing single site certificate?

 chrisisbd:

 I gather it's possible to use a single certificate for multiple
 sites but that's as far as my knowledge goes.

You can, but you shouldn't. A certificate can have max. 100 domain
names.

But you shouldn't, because mixing different domains in one certificate
makes it more complicated to manage such a system (adding new domains).

If you have one certificate per main domain, you can add more domains
without touching these working certificates.

OK, so I should have multiple certificates, I'm planning to have about
four domains hosted, so four certificates. If I continue as at
present it will start getting annoying renewing them all every 60/90
days as it's not automatic.

I gather that a modern Certbot installation will automate the
renewals, what I need to know though is how to move from my old,
single certificate installation that doesn't auto-renew to a modern
multi-certificate auto-renewing installation.

Thanks for the help so far.

Please read my answer.

-> Conclusion

You have created a first certificate before renewing. Do that again.

https://certbot.eff.org/docs/using.html

If you have a working port 80 vHost configuration, certbot is all you need.

I do think if you follow Certbot's installation instructions from scratch, you may be able to get what you want.

The form you want is probably like

certbot --apache -d onename.example.com -d anothername.example.com -d athirdname.example.org

with whatever names you want to be included on the certificate.

As @JuergenAuer is indicating, there is no benefit (and some risk) in deleting your old certificate. You should keep it at least until you're sure the new one is working exactly the way you want!

Also as @JuergenAuer is suggesting, Certbot expects you to have existing non-HTTPS Apache VirtualHosts defined with the specific names of the sites that you want to be listed on your certificates. The certbot --apache command will look at your existing configuration files in order to figure out how to install your new certificate in Apache, and it wants the HTTP version to be present and correct in order to create a new HTTPS version based on it.

Installing Certbot via a different method will not delete your existing certificates; the different installation methods coexist and share the certificate store information under /etc/letsencrypt.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.