The operating system my web server runs on is (include version): Ubuntu 20.04
Hey guys I have my main site all setup and locked up good using certbot. However I'd like to add another site I have but on another port it this posable to have the cert work for the main site and another site on another port?
If so I'd love how to do this without messing up my main site that already works perfect. Just want to add the same url but on another port ie port 5000.
That's certainly not a problem. If you try to use http-01 challenges, the domain being verified will need to respond on port 80, but can be forwarded from there. You can also use dns-01 challenges to avoid the port 80 requirement.
Yes, but you have to understand how certs work.
Each cert is bound to the name(s) contained on the cert.
So if the two sites have the same name as is on the cert , the cert will cover their use.
But if the two sites are on different IPs, then DNS would have to resolve that domain to both IPs.
But doing so could create another problem when they don't do the same thing.
So, yes, but as a best practice, each system that does different things or just does them from different IPs should (whenever possible) use a separate dedicated FQDN and matching cert.
Having said all that, I also need to consider the case when the "other site" is running on the same IP.
If that is the case, then DNS will point to the same IP for both and they can share the same name and cert - just run on different ports.
So, yes, for that case for sure.
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]
Thanks guys! Yeah I need to read more into this and everything still learning and was very easy how certbot worked on my main site. Now onto the port 5000 lol
*Edit
Yes both sites have the same name and same IP just port... one is just one :5000 vs the default this site
In that case, my original advice holds. You want to make sure that if Let's Encrypt tries to verify using port 80 that there is a useful response. Honestly, as long as port 80 is open and certbot can create the challenge files in an accessible place, it does not matter if your main site answers on the IP on port 80 to fulfill the challenge. In other words, you can delegate/"forward" the challenge to the main domain and not bother fighting over port 80. This just involves forwarding requests for othersite/.well-known/acme-challenge/ to mainsite/.well-known/acme-challenge/
You could just use SNI rather than a separate port. Would probably make your life much simpler.
Unless there are multiple applications trying to use the same cert on the same system.
Then they will need to use different ports, but they can all use the same cert.
One such example would be:
using a web server with a cert
using an FTP server with that same cert
using an email server with that same cert
using a music streaming server with that same cert
using a video streaming server with that same cert
using a gaming server with that same cert
There are many others, but you get the idea.
You don't have to get them each their own cert, when they are on the same IP they can all share one.
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]
Unless you have a difference of applications between port 80 and port 5000, it would be better if you setup multiple websites on port 80 in your configuration and let SNI sort out the certificate situation. Otherwise, you could setup a reverse proxy on port 80 for your application running on port 5000.
]
]