Lets Encrypt Certificates

Hi, i am having a nginx webserver with multiple virtual hosts with multiple domains configured. I have generated TLS certificates through lets encrypt, but after a period of 90 days those certificates are getting expired and i need to generate certificates manually each time for all the domains. So, is there any auto renewal process for multiple domains in shared nginx web server in ubuntu.

Thanks

1 Like

That depends on how you got the certificates in the first place.

1 Like

I got the certificates through lets encrypt acme.sh for all my domains. But i am not able to auto renew those certificates which are in share server under single ipaddress. Each time when one of those domain TLS certificates expires i am renewing it manually. Is there any way that all my TLS certificates for multiple domains can auto renew in nginx webserver

1 Like

How exactly? Which command did you use?

Why not? What is the exact issue?

What kind of shared server?

How exactly? Which command did you use?

Again, that depends.

I'm really fishing for information here, which is rather difficult for us to help you. Let's start over. When you opened this thread in the Help section you should have automatically been given a questionnaire to answer. You might have not gotten it for some reason or you might have deleted it, but we really require the answers to those questions, so I'll post it here again. Please fill in all the answers to the best of your knowledge and if you don't know the answer, please write that after the question in stead of leaving it blank. Thanks!


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

Hello @kalyan.vidyayug !

This is all you have shared with us (not quite enough). Could you make it easier for us to help by sharing a little bit more information that @Osiris has requested?

2 Likes

these are the details. Please help me out. Is there any possibility of auto renewal of these domains certificates once they are expired. All these domains under shared webserver.

My domain is: gclassroom.com & institutionsearch.info

I ran this command:
./acme.sh --issue --dns dns_gd -d gclassroom.com
./acme.sh --issue --dns dns_gd -d *.gclassroom.com
./acme.sh --issue --dns dns_gd -d institutionsearch.info
./acme.sh --issue --dns dns_gd -d *.institutionsearch.info

It produced this output:

My web server is (include version): nginx/1.14.0

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh v2.8.7

1 Like

According to the acme.sh README, that command with --issue isn't enough for a working situation. Please read part 3 of the readme:

After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers. You MUST use this command to copy the certs to the target files, DO NOT use the certs files in ~/.acme.sh/ folder, they are for internal use only, the folder structure may change in the future.

In part 2 it also specifies a cron job example:

Although I have no idea how to reload nginx after the cert has been renewed. I don't have experience with acme.sh.

1 Like

Hi, my doubt is if i create TLS certificates with the above process which i mentioned through acme.sh for multiple domains under a single ipaddress. i am not able to auto renew those certificates. Every 90 days i have to do it manually because there are multiple domain certificates in one webserver. But when i created certificates for single domain in separate webserver only for that domain they are being auto renewed. So, is there any possiblity for auto renewal when there are multiple domain certificates under one ipaddress.

Having multiple hostnames and certificates on a single webserver is NOT a reason for manual renewal. Almost every webserver nowadays works with a single IP and single webserver and a multitude of hostnames/sites/certificates.

1 Like

If there is one domain in one webserver it will automatically renew but when we have multiple domain certifictaes it is not auto renewing because of the api key of that domain is being saved in accounts.conf file. So, for other domains it is not working for auto renewing. When manually we do for other domain then that api relate ddetials are being saved in accounts.conf file. For a webserver which is hosting single domain there is no problem with accounts.conf as it contains only one domain related details.

1 Like

Sadly, that's pretty broken behavior on the part of acme.sh. It does the same thing with acme-dns authentication, and I don't know of a way around that unless it's possible to generate an API key with a broader scope. Perhaps with multiple installations of acme.sh?

--reloadcmd service nginx reload (or whatever the appropriate command would be for the user's environment).

1 Like

Can't you bypass that limitation by using separate directories as --config-home?

1 Like

I've found this one to work fairly universally:

nginx -s reload

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.