Multi-webroot and multi-domain certificate locations on disk


#1

I want to use the same certificate across a number of sub-domains. I am using webroot authentication and specifying webroot-domain pairs in the command:

letsencrypt-auto certonly -c /etc/letsencrypt/webroot.ini \
    -w /var/www/example.com/public_html -d example.com \
    -w /var/www/a.example.com/public_html -d a.example.com \
    -w /var/www/b.example.com/public_html -d b.example.com

The content of my .ini is:

agree-tos = True
renew-by-default = True
authenticator = webroot

This command creates a single certificate and I can configure the webserver for each domain to use that cert via the symlink in live. This is all good stuff.

However, when I added another subdomain to this command the resulting certificate was generated in a different directory: live/c.example.com, rather than in the previously used directory: live/example.com.

Is there anyway to guarantee where the certificate will be generated?

I read that the first domain in the command is what determines the location but I don’t believe this is the case given my observations. If I’ve made a mistake here please let me know.

I originally generated certificates for each sub-domain, so there were entries in my /etc/letsencrypt directory for those sub-domains already. Is there a command to remove the old entries, or is it just a case of manually:

sudo rm live/c.example.com
sudo rm archive/c.example.com
sudo rm renewal/c.example.com

So the question remains, can I guarantee where the certificate will be located in /etc/letsencrypt/?


#2

You can try my client: [updated]Simplest pure bash letsencrypt client, support standalone server now

You can specify the cert path or cert key path like:

CERT_PATH=/path/to/domain.cer  CERT_KEY_PATH=/path/to/domain.key   le   issue    /path/to/webroot/   domain.com  www.domain.com

#3

I have multiple webroots so I don’t understand how I can use your client as it requires: “You must point and bind all the domains to the same webfoot dir”.


#4

After further examination of the cli.py source I found these command line arguments:

--cert-path=.../cert.pem
--chain-path=.../chain.pem
--fullchain-path=.../fullchain.pem
--key-path=.../privkey.pem

I’ve tested with another domain and it did exactly what I needed.


#5

I have the same problem, but the suggested solution does not work for me. Here it is the command I run:

letsencrypt certonly --text --test-cert --webroot \ --cert-path=/etc/letsencrypt/domain.org/cert.pem \ --chain-path=/etc/letsencrypt/domain.org/chain.pem \ --fullchain-path=/etc/letsencrypt/domain.org/fullchain.pem \ --key-path=/etc/letsencrypt/domain.org/privkey.pem \ -w /var/www/site1.domain.org/http -d site1.domain.org \ -w /var/www/site2.domain.org -d site2.domain.org

I expect that all the files will be placed into /etc/letsencrypt/domain.org/, but everything is placed into /etc/letsencrypt/live/site1.domain.org/.

Can someone please give the full command line?


#6

So I have about 60-80 domains (three large projects/products with their dommains and subdomains for different services) in different directories (obviously) and I just keep on going “WTF” and also “Are you fucking kidding me?!” while trying to figure out how to renew a certificate. Behind Cloudflare (obviously, everyone uses something, only idiot would expose their servers directly.)

So my question towards the creators of letsencrypt would be… Did you guys try to think about actual production usage?