Need help understanding the /etc/letsencrypt/my.conf file

kwhat4 · February 24, 2024, 8:08pm

I have everything working for a single subdomain and now I would like to configure things for several subdomains, but I am a little confused as to how I should setup the /etc/letsencrypt/my.conf file.

Should this file be able to handle more than 1 subdomain using [[webroot_map]] or do I need to create multiple files?

my.conf looks something like this:

version = 2.9.0
archive_dir = /etc/letsencrypt/archive/sub1.domain.tld
cert = /etc/letsencrypt/live/sub1.domain.tld/cert.pem
privkey = /etc/letsencrypt/live/sub1.domain.tld/privkey.pem
chain = /etc/letsencrypt/live/sub1.domain.tld/chain.pem
fullchain = /etc/letsencrypt/live/sub1.domain.tld/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = XXXXXXXXXXXXXXXXXX
authenticator = webroot
webroot_path = /var/www/sub1,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

[[webroot_map]]
sub1.domain.tld = /var/www/sub1

If I wanted to add sub2.domain.tld and sub3.domain.tld to this configuration, how would I do it? I understand the [[webroot_map]] part which is I assume I can setup something like:

[[webroot_map]]
sub1.domain.tld = /var/www/sub1
sub2.domain.tld = /var/www/sub2
sub3.domain.tld = /var/www/sub3

What is confusing me is the first part with the archive_dir =, cert =, pirvkey =, etc. I would assume that these files need to be unique for each cert but then why would there be [[webroot_map]]? Can these locations at the start of my config be configured to cover sub1-3? Should I create 3 different files? I am kind of lost and the documentation isn't very detailed when it comes to the conf file.

rg305 · February 24, 2024, 8:16pm

Because one cert can have up to 100 SAN entries.
Each of those entries can be located in its' own directory.
Each name could require its' own specific webroot path.
[unless all names point to the same path - all domains serve the exact same content]
[possible... but unlikely]

They should cover only one cert.
Note: One cert can have up to 100 SAN entries [names] in it.

It is not intended to be directly manipulated by Humans - LOL
It can be... But I'd leave that to the certbots of the [Internet] world.

Osiris · February 24, 2024, 8:55pm

Not by editing the renewal configuration manually, just run Certbot again, but now also with the hostnames you want to have added.

kwhat4 · February 24, 2024, 10:25pm

This is kind of a pain because I am trying to use the certbot docker container to do all of this so I was kind of hoping I could setup a config and just have it run certbot renew as the entry point and stop.

kwhat4 · February 24, 2024, 11:05pm

I ran certbot certonly -d sub1.domain.tld,sub2.domain.tld,sub3.domain.tld and that appears to have worked. If I now run certbot renew will it just auto-magically renew all 3 or do I need to still specify -d?

Osiris · February 24, 2024, 11:35pm

Just renew will do. Certbot uses the previous cert to extract the hostnames and the, if that was necessary, now updated renewal configuration file.

rg305 · February 25, 2024, 2:58am

It will [try to] renew whichever certs it thinks are still required/being managed by certbot - and in whichever way is defined in the matching renewal config file.

To see what certs are being managed by certbot, you can review the output of:
certbot certificates

system · March 26, 2024, 2:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configuration file with different webroot's Help	2	1617	May 4, 2016
Multiple domains & webroot paths using webroot plugin Help	4	14751	December 31, 2015
Multi-webroot and multi-domain certificate locations on disk Help	5	4033	June 16, 2017
Using LetsEncrypt with multiple A-record domains Help	4	7664	May 5, 2017
How to add domain to /etc/letsencrypt/renewal/.conf file Help	14	6774	July 4, 2021

Need help understanding the /etc/letsencrypt/my.conf file

Related topics