Hi, i am having a nginx webserver with multiple virtual hosts with multiple domains configured. I have generated TLS certificates through lets encrypt, but after a period of 90 days those certificates are getting expired and i need to generate certificates manually each time for all the domains. So, is there any auto renewal process for multiple domains in shared nginx web server in ubuntu.
I got the certificates through lets encrypt acme.sh for all my domains. But i am not able to auto renew those certificates which are in share server under single ipaddress. Each time when one of those domain TLS certificates expires i am renewing it manually. Is there any way that all my TLS certificates for multiple domains can auto renew in nginx webserver
I'm really fishing for information here, which is rather difficult for us to help you. Let's start over. When you opened this thread in the Help section you should have automatically been given a questionnaire to answer. You might have not gotten it for some reason or you might have deleted it, but we really require the answers to those questions, so I'll post it here again. Please fill in all the answers to the best of your knowledge and if you don't know the answer, please write that after the question in stead of leaving it blank. Thanks!
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
According to the acme.sh README, that command with --issue isn't enough for a working situation. Please read part 3 of the readme:
After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers. You MUST use this command to copy the certs to the target files, DO NOT use the certs files in ~/.acme.sh/ folder, they are for internal use only, the folder structure may change in the future.
In part 2 it also specifies a cron job example:
Although I have no idea how to reload nginx after the cert has been renewed. I don't have experience with acme.sh.
Hi, my doubt is if i create TLS certificates with the above process which i mentioned through acme.sh for multiple domains under a single ipaddress. i am not able to auto renew those certificates. Every 90 days i have to do it manually because there are multiple domain certificates in one webserver. But when i created certificates for single domain in separate webserver only for that domain they are being auto renewed. So, is there any possiblity for auto renewal when there are multiple domain certificates under one ipaddress.
Having multiple hostnames and certificates on a single webserver is NOT a reason for manual renewal. Almost every webserver nowadays works with a single IP and single webserver and a multitude of hostnames/sites/certificates.
If there is one domain in one webserver it will automatically renew but when we have multiple domain certifictaes it is not auto renewing because of the api key of that domain is being saved in accounts.conf file. So, for other domains it is not working for auto renewing. When manually we do for other domain then that api relate ddetials are being saved in accounts.conf file. For a webserver which is hosting single domain there is no problem with accounts.conf as it contains only one domain related details.
Sadly, that's pretty broken behavior on the part of acme.sh. It does the same thing with acme-dns authentication, and I don't know of a way around that unless it's possible to generate an API key with a broader scope. Perhaps with multiple installations of acme.sh?
--reloadcmd service nginx reload (or whatever the appropriate command would be for the user's environment).