Multiple Domains Subject Alt Names

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: council-housing.co.uk nathan-h.co.uk

I ran this command: certbot --apache

It produced this output: N/A

My web server is (include version): Httpd V2.4.58

The operating system my web server runs on is (include version): Fedora 39

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.6.0

New to setting up an Http server, but I would like to host 2 different websites from my own IP, both sites have an SSL cert, and cover

council-housing.co.uk
www.council-housing.co.uk
nathan-h.co.uk
www.nathan-h.co.uk

If I visit council-housing.co.uk under the Subject Alt Names it displays all 4 names, Is there a way where it would only display the Alt Names for each Domain, i.e. visit council-housing.co.uk it would only display that and www.council-housing.co.uk instead of nathan-h.co.uk too? Was I supposed to run something other than certbot --apache, or should I have just certbot -d domain1 -d domain1 then ran it again but for -d domain2 -d domain2

Hi @pr0xibus, and welcome to the LE community forum :slight_smile:

You would need to get separate certs for each vhost.
What shows?:

  • certbot certificates
  • sudo apachectl -t -D DUMP_VHOSTS
    OR
    sudo httpd -t -D DUMP_VHOSTS
3 Likes

Appreciated the quick reply

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: council-housing.co.uk
    Serial Number: 387c0d5bf5a2a5264c4aeee882a5776acad
    Key Type: ECDSA
    Domains: council-housing.co.uk nathan-h.co.uk www.council-housing.co.uk www.nathan-h.co.uk
    Expiry Date: 2024-03-15 17:21:40+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/council-housing.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/council-housing.co.uk/privkey.pem
1 Like

If you would have read what it asked/said, you might have noticed something like it asking for number(s) or if you left it blank it would get a cert with all the listed names on it.
I suppose you left it blank and got one cert - with all the listed names on it.
[as I can now see from your post]

2 Likes

In order to use multiple certs you must have multiple vhost configurations.
Please show us:
[whichever works on your systems]

3 Likes

:smiley: yeah I do remember that part, I left it blank. I wasn't sure how it was going to assign the Certs, I "Assumed" it would have automatically created a cert for each domain, rather than create 1 cert with all 4 domain names, my fault for not reading more into it :smiley:

virtualHost configuration:
*:80 is a NameVirtualHost
         default server www.nathan-h.co.uk (/etc/httpd/conf/httpd.conf:365)
         port 80 namevhost www.nathan-h.co.uk (/etc/httpd/conf/httpd.conf:365)
                 alias nathan-h.co.uk
         port 80 namevhost www.council-housing.co.uk (/etc/httpd/conf/httpd.conf:380)
                 alias council-housing.co.uk

*:443 is a NameVirtualHost
         default server fe80::59e:31ef:41cd:b72f%enp14s0 (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost fe80::59e:31ef:41cd:b72f%enp14s0 (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost www.council-housing.co.uk (/etc/httpd/conf/httpd-le-ssl.conf:2)
                 alias council-housing.co.uk
         port 443 namevhost www.nathan-h.co.uk (/etc/httpd/conf/httpd-le-ssl.conf:15)
                 alias nathan-h.co.uk
1 Like

Ok, the names are on separate vhost.
You can run the command again [certbot --apache] and choose the names that go together.
[you will have to run it twice - once for each set of names/vhost]

It may ask if you want to install/replace the current cert - say "yes".

Then show us:

  • certbot certificates
  • grep letsencrypt /etc/httpd/conf/*
4 Likes

Ah yeah glad it was as easy as running it again and selecting 1 2 or 3 4

Found the following certs:
  Certificate Name: council-housing.co.uk-0001
    Serial Number: 46968022b646349bf68f0a3aaae7e780f34
    Key Type: ECDSA
    Domains: council-housing.co.uk www.council-housing.co.uk
    Expiry Date: 2024-03-15 19:34:35+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/council-housing.co.uk-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/council-housing.co.uk-0001/privkey.pem
  Certificate Name: council-housing.co.uk
    Serial Number: 387c0d5bf5a2a5264c4aeee882a5776acad
    Key Type: ECDSA
    Domains: council-housing.co.uk nathan-h.co.uk www.council-housing.co.uk www.nathan-h.co.uk
    Expiry Date: 2024-03-15 17:21:40+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/council-housing.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/council-housing.co.uk/privkey.pem
  Certificate Name: nathan-h.co.uk
    Serial Number: 39b212fbc7bb1e3e70f39c298b2c136456d
    Key Type: ECDSA
    Domains: nathan-h.co.uk www.nathan-h.co.uk
    Expiry Date: 2024-03-15 19:34:44+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/nathan-h.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/nathan-h.co.uk/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

pr0xibus@fedora:/var/www/cgi-bin$ grep letsencrypt /etc/httpd/conf/*

/etc/httpd/conf/httpd-le-ssl.conf:Include /etc/letsencrypt/options-ssl-apache.conf
/etc/httpd/conf/httpd-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/council-housing.co.uk-0001/fullchain.pem
/etc/httpd/conf/httpd-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/council-housing.co.uk-0001/privkey.pem
/etc/httpd/conf/httpd-le-ssl.conf:Include /etc/letsencrypt/options-ssl-apache.conf
/etc/httpd/conf/httpd-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/nathan-h.co.uk/fullchain.pem
/etc/httpd/conf/httpd-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/nathan-h.co.uk/privkey.pem

pr0xibus@fedora:/var/www/cgi-bin$

1 Like

Ok, you can now get rid of the original cert:
[no longer needed / nor in use]

For that, do:

certbot delete --cert-name council-housing.co.uk

[then recheck with certbot certificates]

3 Likes

Yup that cleared the old Cert, and leaves just the 2 certs now, both containing just the relevant domain names.

Appreciated for the help

2 Likes

Glad to help :wink:

Cheers from Miami :beers:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.