@Osiris Yups, thanks for the tip on --test-cert switch. Sorry I completely missed that in the documentation. I just started exploring letsencrypt yesterday, and was mostly reading up on the letsencrypt-auto client under --help all, which doesn’t seem to mention it.
I have done some tests and I’m happy to confirm that:
- Just as @motoko said, only ONE certificate will be generated in a directory named after the FIRST domain supplied.
- As expected, it is ALL OR NOTHING.
- If there are conflicting flags, letsencrypt complains with an error and fails.
Too many flags setting... - There doesn’t seem to be a way to specify multiple webroot paths in a config file. At this point, my impression is that the command line can pretty much do everything that it needs, so the use of a config file is not really necessary. In fact, it appears to be less powerful than the command line. Even for the sake of automation, I think setting up a shell script with all the correct variables seem to be the simplest solution.
For the benefit of anyone trying to set up multiple sub-domains, this is the way I’m doing it for multiple virtual hosts in Apache HTTPD.
The config file is not necessary, as these can be easily enumerated as flags in the command line. But just for the sake of demonstration:
***********
* cli.ini *
***********
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = youremail@example.com
text = True
agree-tos = True
renew-by-default = True
authenticator = webroot
I created a shell script to do the entire authentication command for all webroot paths and domains at one go.
***************************************
* /usr/bin/letsencrypt-example.com.sh *
***************************************
# Settings
DOMAIN=example.com
TIMESTAMP=$(date +"%F %T")
# Execute
/etc/letsencrypt/letsencrypt-auto certonly -t --renew-by-default --test-cert \
-w /var/www/www.$DOMAIN/ -d $DOMAIN -d www.$DOMAIN \
-w /var/www/admin.$DOMAIN/ -d admin.$DOMAIN -d adm.$DOMAIN \
-w /var/www/api.$DOMAIN/ -d api.$DOMAIN
# Log and restart web server
if [ $? -ne 0 ]
then
echo "["$TIMESTAMP"] Cert for "$DOMAIN" could NOT be renewed!" >> /var/log/letsencrypt/sh-renewals.log
else
echo "["$TIMESTAMP"] Cert for "$DOMAIN" renewed!" >> /var/log/letsencrypt/sh-renewals.log
service apache2 reload
fi
exit 0
I could also have set it up to mail the output to me, but I’m leaving it out of the script for simplicity.
As shown, I test run it with the --test-cert flag just to ensure that the rest of the infrastrcuture is in place (DNS, firewall, webserver’s virtualhost config etc.). If we successfully get the CONGRATULATIONS message from executing
/usr/bin/letsencrypt-example.com.sh
then I know we’re good to go.
I proceed to remove the --test-cert flag from the script and run it again to generate the real certificate.
I then set up a cron job via crontab -e so that the script runs every month:
# add this line to end of file to renew on the 1st of every month, 02:30AM.
30 02 1 * * /usr/bin/letsencrypt-example.com.sh
Hopefully, this guarantees that all my sub-domains across various vhosts are always happily TLS-encrypted for free.
Experts, please do enlighten if I missed out anything important, or if I’m doing something wrong or stupid. Thank you!