Must vhost config files be separate for Certbot?


#1

I’m a front-end developer with limited knowledge of server configs and networking, so there’s a very good chance this is a stupid question:

I’ve got an Apache/CentOS6 server running a few websites on a small vhost setup, and obviously need to enable https sooner rather than later. I’m going to need certificate installations and renewals to be automated, so I’ll apparently be updating to CentOS7 and using Certbot.

But, my vhost config file looks like this:

	<VirtualHost *:80>
		ServerName *
		ServerAlias *
		VirtualDocumentRoot /var/www/vhosts/%0/html
		DocumentRoot /var/www/vhosts/masterfiles/html
		CustomLog /var/log/httpd/vhosts-access.log forwarded
		ErrorLog /var/log/httpd/vhosts-error.log
	</VirtualHost>

I’m using a single wildcard vhost setup, rather than individual config file for each website.

Is this going to be a problem?


#2

Hi,

That might be a problem when certbot trying to install a certificate to your vHost (since they reverse map the vHost and trying to find a match)

However that will not impose any problem on requesting the certificate since wildcard certificate requires dns-01 validation.

If you want to use wildcard certificate, be sure to check if your DNS provider support API access and if there’s any client that supports your provider. (Check the list from https://letsencrypt.org/docs/client-options/)

Thank you


#3

Generally speaking, you want to separate your domain names by both user/group and by individual vhosts.

I would go ahead and swap this config to static VHosts and stop using the Virtual document root and just set a hard one for each domain / user if it were my server.

That’s a more standard setup anyway, esp if you ever need to issue customizations past modifying htaccess variables.


#4

In addition to @stevenzhu’s and @KnownHost’s helpful comments, I would point out that even if you use certbot certonly to obtain certificates without installing them in Apache, if you obtain more than one certificate there’s probably no way to tell Apache to use them appropriately (as in my experience Apache’s SNI dispatching to select the appropriate certificate for a request is based on virtual hosts, and each virtual host can only be configured with a single certificate). So you would need to create more virtual hosts in order to make use of the certificates you obtain—unless you choose to cover all of the hostnames on a single certificate, which is a possibility.