How to set up Lets Encrypt to work with multiple domains hosted on a single VPS(Nginx)


#1

I followed this tutorial.
I have two domains : domain1.com and domain2.com
I want to set up Lets Encrypt such that both my domains have the https certificate. The problem is that I can find no tutorials that explains how to make this work with two domains(my webserver is Nginx).
Right now, i am using the same certificate for both domains. domain1.com works perfectly but domain2.com shows a “NET::ERR_CERT_COMMON_NAME_INVALID” error on chrome.
This is the domain1.com file in the /etc/nginx/sites-available directory:

`server {
    listen 80;
    server_name domain1.com www.domain1.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name domain1.com www.domain1.com;

    ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem;


    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;


    root /var/www/domain1.com/html;
    index index.html index.htm;


    location / {
        try_files $uri $uri/ =404;
    }
}`

The domain2 file in the /etc/nginx/sites-available directory is completely similar to the above except domain1.com has been replaced with domian2.com and it has been pointed to it’s appropriate root directory.
So what am I doing wrong and how do I fix it ??
TLDR: Running Nginx and hosting two domains. Want to use Lets Encrypt on the two domains but the certificate works on only one domain.

Edit:

I went ahead and did the following:

cd /opt/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/domain2.com/html -d domain2.com -d www.domain2.com

Now, I get the following error :

Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt certonly -a webroot --webroot-path=/var/www/domain2.com/html -d domain2.com -d www.domain2.com
Failed authorization procedure. www.domain2.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.domain2.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.domain2.com
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up A for www.domain2.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

#2

Are you happy to provide your domain name ? ( they will be on the publicly available list of certs issued anyway ).

The error is “Detail: DNS problem: NXDOMAIN looking up A for www.domain2.com”, but I have no way of checking that for you, as I don’t know what domain2 is. I’d suggest doing 2 checks;

1 - Check that your domain name correctly goes to your server from the internet.

2 - add a file ( eg test ) in your webroot/.well-known/acme-challenge/test and then check that you can reach it, and the content is returned as plain text, from the general internet.


#4

Your 2nd domain (paytmtobtc.xyz) exists, but www.paytmtobtc.xyz doesn’t. You’ll need to either create a record for it or get a cert with just the bare domain.

Also of note is that it has 2 A records, 1 of which matches the other domain.


#5

Hello, so the www version of the site works now but I am still getting the cert error.

I am hosting both the websites in a single VPS using Nginx. I think Lets Encrypt has issues providing certificates to two different domains if it is hosted on the same server.


#6

I have multiple domains with LE certs on various servers, with no issues at all.

as cool110 says, you were providing 2 different IP addresses

dig paytmtobtc.xyz @dns1.registrar-servers.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> paytmtobtc.xyz @dns1.registrar-servers.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37989
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;paytmtobtc.xyz.			IN	A

;; ANSWER SECTION:
paytmtobtc.xyz.		1799	IN	A	163.172.149.209
paytmtobtc.xyz.		1800	IN	A	162.255.119.250

so verification would have failed on the second IP address ( as that IP is not responding for your domain )


#7

Ok, this is really weird because the second IP(162.255.119.250) does not belong to me and I never was in possession of this IP. Also, in the DNS settings, I cannot find that Ip at all !!

So, if that IP does not belong to me, where did it come from ??


#8

Something has changed, as it’s now only showing one IP address. Why that second IP was there for a while in your DNS I don’t know.

Now that it only has the one IP address, is it working ?


#9

The site is working but I get a certificate warning. What should I do now?

I will run the following commands and report back:

cd /opt/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/domain2.com/html -d domain2.com -d www.domain2.com

#10

The certificate warning is because you are providing it with the certificate for your first domain.

Once you run it again you should (hopefully) get a cert for your second domain in /etc/letsencrypt/live/domain And you will then need to adjust your config for the second domain to use those certificates.


#11

Hey, you are right, thank you!!

I fixed it!!

I created a new certificate and made the necessary changes at : etc/nginx/sites-available/default

I have one last question.

While I was following the tutorial for configuring domain1.com, I was asked to created a Diffie-Hellman Group at : /etc/ssl/certs/ using the command sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

But I did not create the Diffie-Hellman Group for the second domain, is this a security risk ??


#12

No, using the same DH parameters is safe.


#13

Thank you, I learnt many things from you and serverco.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.