I have several servers hosting several domains and after hitting the rate limit for domains I discovered I could request SAN certificates.
I created a single certificate for 67 domains succesfully on a Parabola GNU/Linux-libre server, using nginx+passenger 1.8 and a latest git clone of LE after the public beta release:
The certificates are recognized without issues by other daemons, like postfix, dovecot and prosody.
Has anyone seen this happen? I’m guessing it’s the way Debian build nginx, but couldn’t find anything. Single domain certs work just fine, but the rate limit doesn’t allow me to issue all the certs I need
I hope not
I just found that it works w/o the private key, by the way
cat fullchain.pem chain.pem cert.pem > bundle.pem
ahem...Not really... I found this method somewhere in a forum, long time ago for a totally different issue.
I desperately test the same, my nginx website not wanted to start.
On one of my Nginx servers, I noticed this error after a server reboot, and it turns out my configuration was pointing to the wrong key—or maybe at some point certbot/LE switched keys on me!
Before (throwing this error, but worked for a few months at least):
It would be interesting to know how that got there. Probably that key would have worked when you first obtained the certificate, but not after a successful renewal, because the renewed fullchain.pem would have a different public key and a different private key. So 0000_key-certbot.pem is probably the correct private key for your first certificate, but not for your second (or later) certificate.
Files in keys are never updated, while files in live are automatically updated upon renewal.
I know I manually set the paths during the installation, which was running Certbot 0.10.0; I usually just copy and paste whatever paths Certbot provides at the end of the first setup, then set certbot-auto on cron to do it’s thing.
I think I set up that particular server with LE certs a couple months ago.
In any case, checking on some of my other servers using the same Ansible role for Certbot/LE setup, they’re all set to use certificate_key_file: /etc/letsencrypt/live/example2.com/privkey.pem so either it was a temporary thing in certbot’s docs, or I just had a brain fart on that particular server configuration (just means I need to automate it better so my own stupidity doesn’t result in site downtime!)