Nginx how to get certificate for 3 domains on a vps

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):nginx 1.21

The operating system my web server runs on is (include version):ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):nginx plugin 0.40.0

Hi guy's,
I have a vps server with 3 domains and i just want to know how to get all sites on https. I would prefer to have one certificate for all 3 domains if possible since i am the only user of the server. I am using the nginx plugin so is the following command correct ; sudo certbot --nginx -d site1.com -d site2.com -d site3.com?
Thank for any help since i am reading on this since yesterday and still haven't found how.
regards Peter

Sounds about right.

You might want to consider including the www subdomain for all domains.

2 Likes

Please show:
certbot --version

And if you just try certbot [by itself], it should prompt you for all that it needs.
[to include getting a single cert for all the names found in the web server config]

2 Likes

Hi, the certbot version is 0.40.0, i had tried the snapd install and it screwed my server install so i just went for the simple python3 installation.
regards Peter

Hi Osiris, is there any reason i should add the www, i don't mind doing it but i would like to understand the reason for?
Regards Peter

I want to thank you guy's for making certbot at no cost since as an indie game dev this make a difference for us. If my game get any success you are on my list of people to remember.

1 Like

After testing the command this is still not working, here the command i made ;
sudo certbot --nginx -d sortirdelamatrice.online -d www.sortirdelamatrice.online -d escapingthematrix.online -d www.escapingthematrix.online -d naos-soultrap.online -d www.naos-soultrap.online
Only one site get https working, naos-soultrap.online the 2 others are still unsecured.
certbot did not modify the server block configuration of the 2 sites that are not working but i wonder why!
I wonder if one of my nginx server block need the default_server after listen?
I am stuck again
Here the terminal command with the result here ;

pierre@sortirdelamatrice:~$ sudo certbot --nginx -d sortirdelamatrice.online -d               www.sortirdelamatrice.online -d escapingthematrix.online -d www.escapingthematri              x.online -d naos-soultrap.online -d www.naos-soultrap.online
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/escapingthematrix.online.conf)

It contains these names: escapingthematrix.online, www.escapingthematrix.online

You requested these names for the new certificate: sortirdelamatrice.online,
www.sortirdelamatrice.online, escapingthematrix.online,
www.escapingthematrix.online, naos-soultrap.online, www.naos-soultrap.online.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sortirdelamatrice.online
http-01 challenge for www.sortirdelamatrice.online
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
nginx: [warn] duplicate value "TLSv1.2" in /etc/letsencrypt/options-ssl-nginx.co              nf:11
Waiting for verification...
Cleaning up challenges
nginx: [warn] duplicate value "TLSv1.2" in /etc/letsencrypt/options-ssl-nginx.co              nf:11
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/sortirdelamatrice.              online.conf
Could not automatically find a matching server block for www.sortirdelamatrice.o              nline. Set the `server_name` directive to use the Nginx installer.

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/escapingthematrix.online/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/escapingthematrix.online/privkey.pem
   Your cert will expire on 2023-01-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

The nginx installer looks for a server block for each domain name. This error says it could not find the www domain anywhere. You should ensure that name is listed on a server_name in the right server block.

You got the cert issued (here) so perhaps the default server was used for authentication. It was the install part that failed due to server_name problem

I'm also a little puzzled about the warning messages for the listen and TLSv1.2. If you want us to look at that could you upload your nginx config? Might be easiest to upload the txt from this command

sudo nginx -T >upload.txt
2 Likes

Hi Mike and thank for helping,here the nginx.conf ;

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "


Here my 3 nginx server block config for the 3 websites ;

server {
     server_name naos-soultrap.online www.naos-soultrap.online;

     root /home/pierre/public/naossoultrap;

     index index.html index.htm;

     location / {
          try_files $uri $uri/ =404;
     }

    listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_protocols TLSv1.2;
    ssl_certificate /etc/letsencrypt/live/naos-soultrap.online/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/naos-soultrap.online/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
server {
    if ($host = www.naos-soultrap.online) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = naos-soultrap.online) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
server {

  listen 80;

  server_name escapingthematrix.online;

  root /home/pierre/public/escapingthematrix;

  location / {
    index index.php;
  }

  # Deny access to internal files.
  location ~ /(inc|uploads/avatars) {
    deny all;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/run/php/php8.0-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }

server {

  listen 80;

  server_name sortirdelamatrice.online;

  root /home/pierre/public/sortirdelamatrice;

  location / {
    index index.php;
  }

  # Deny access to internal files.
  location ~ /(inc|uploads/avatars) {
    deny all;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/run/php/php8.0-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }

}

It's only necessary if you actually plan to have the www subdomain configured in your webserver of course. But I'd include it because sometimes people just type www in front of the domain out of habit. And it shouldn't be much trouble to do so.

3 Likes

If you want the www names the server_name for each server block should be like one for naos-soultrap.

You can remove above line from your naos server block since it is in the include inserted by certbot nginx plug-in

The warning about the listen is because you don't have a listen in your http server block for naos. Use the same format you used for your other two http server blocks (listen 80;)

3 Likes

Hi Osiris and for additional info i have only set an A record for each domains to point to my vps IP address so i don't kow if i have to add an additional A record for www?

Yes, or a CNAME which is what you have.

nslookup www.escapingthematrix.online

www.escapingthematrix.online    canonical name = escapingthematrix.online.
Name:   escapingthematrix.online
Address: 45.132.242.132
3 Likes

Hi Mike, OK so you mean i have to add an additional A record for www right?

No, having a CNAME, which you do already, is just fine.

4 Likes

OK thank Osiris, i was a bit confuse since i am a game dev and web server is a complete other ball game for me!

1 Like

Thank again Mike for your time and patience and if i modify the config with your recommendation should i just retried the certbot command again or is there something else i have to do before?

1 Like

Hi again guy's,
Since my websites root are located in their respective directory in my /home/user/public/escapingthematrix etc do you think certbot requires the webroot command for this to work before i try again?
I don't want to exceed the limit of 50 that's why i am asking.

No, the --nginx plugin as authenticator should be able to handle it just fine.

What's the current status of your system? And what are you currently trying to achieve?

I see you have issued a cert with all domains in them @ crt.sh | 7860950194 but your domains itself are not serving that cert, but a different certificate. Also some domains serve an incorrect one.

You can use certbot certificates to list all currently known certs.

And you can use certbot install --nginx --cert-name certname_found_with_aboven_command to try to install a certain certificate.

3 Likes