I have successfully created and installed an SSL certificate using certbot. This is now a production environment so I’m cautious to work on it to achieve what I am trying to. It’s running on apache on Debian VPS.
I have various domains and subdomains with A records pointing at the same servers IP address and I recall trying to add them all when I created the certificate, but there was a problem (unfortunately I cannot remember the exact issue) so I created the cert for just one of the subdomains.
My first question is, can I install certificates on the same server for, for example:
If the answer to the above is no, what are my options? Can I run certbot again to create separate certs on the same server or will this simply not work?
Thank you in advance for any assistance and guidance, much appreciated!
EDIT : I forgot to add, the domain that I successfully created the cert for was also the hostname of the server, I don’t know if this is related or not.
Yes "apache on Debian VPS" should be able to handle SNI.
This depends on how you intend on using them.
If all names are going to the same vhost config and showing the exact same content, then you can create one cert with all the names on it.
If any of the names go to different vhost configs, then you might want to separate the cert names as used in each vhost config.
Yes, this is correct, they all end up pointing to the same content.
So I just run certbot again for each domain/subdomain? (as opposed to trying to include all the domains/subdomains in one go, which is what I did the first time, but can't for the life of me remember what went wrong).
Thanks again.
EDIT : One more question, do I need to run certbot with any special parameters considering I already have a cert for this server? Or just run again and put in the domain I want to generate the cert for?
You can put all the names into a single certificate. The main advantage would be that old (think XP or Android 2.x) clients don’t know how to ask for the right certificate. If there’s only one certificate they’ll get the right one anyway.
But yes getting individual certificates is fine, and would especially make sense if you’d rather visitors to one site can’t stumble into the names of the other sites. I suspect that’s not your scenario though. Beware of Rate Limits if you will ask for many certificates in the same domain.
And no, you don’t need any special parameters. You can use one named --expand to replace your existing certificate with one that has more names if that’s what you end up deciding to do. I think there are good examples of how expand works in the docs.