One cert, multiple domains to individual certs for each domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jrscustomshop.com, devastationdesignstudio.com, thoughtsofblood.com(new)

I ran this command: sudo certbot -d thoughtsofblood.com -d www.thoughtsofblood.com

It produced this output:
http-01 challenge failed for thoughtsofblood.com
Invalid response from https://www.devastationdesignstudio.com/.well-known/acme-challenge/……/404 Not Found

My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Wordpress

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

I think I need to separate the domains I host individually. How do I revert from multiple domains on one certificate to individual certificates.

You were already doing this:

Each domain you specify with -d will be included on the certificate, and no others. You may include as many or few as you want.

I believe the reason you are experiencing trouble here, is because you have a complicated web of redirects set up using FreeDNS's URL redirection service.

For example, visiting http://thoughtsofblood.com redirects to https://www.devastationdesignstudio.com.

These uses of the URL redirection service is messing with the Let's Encrypt validation process.

I would guess that getting rid of the URL redirection service completely, and instead pointing all of the domains directly at your Apache server, is going to be the simplest way to get everything working.

Otherwise, you will need to address your problems in at least these respects:

  1. There's no point requesting a certificate for a domain your server isn't hosting. So for example, you shouldn't ask for a certificate for thoughtsofblood.com, because that's hosted on the URL redirector, not on your server. So the request that would make sense would be:

    certbot --apache -d www.thoughtsofblood.com
    
  2. Fix the FreeDNS redirections so they make sense. thoughtsofblood.com should redirect to www.thoughtsofblood.com, not to an unrelated domain.

1 Like

Thank you for your awesome immediate reply, but I don’t think you understand my situation.

I actually wasn’t doing that initially. Please access devastiondesignstudio.com in a browser and view the certificate…it’s saying cloud.jrscustomshop.com as the SAN.

I ran the command I did to try and force the new domain as a new certificate, which fails because I have a feeling the one cert for all domains is now trying to roll up the new domain into the one when I’m trying to create it's own and it’s failing -hence the title of my post.

My DNS server is in fact pointing each domain to my servers IP, but I have a feeling it’s the way I initially set up the cert as an all in one that it’s trying to force any new domain I add into it as well.

My ask is how do I roll back from many domains under one certificate, to many certificates to each domain?

Thanks again!

-Josh

1 Like

Thanks for clarifying. I think that we are on the same page about what you want to achieve.

Are you sure? You have your base domains pointing to the URL redirector and only the www-domains to your actual webserver:

$ dig +noall +answer {www.,}devastationdesignstudio.com
www.devastationdesignstudio.com. 3600 IN    A       162.229.229.147
devastationdesignstudio.com.     3600 IN    A       169.47.130.73

$ dig +noall +answer {www.,}thoughtsofblood.com
www.thoughtsofblood.com. 3600   IN      A       162.229.229.147
thoughtsofblood.com.     3600   IN      A       169.47.130.88

I think the command you tried is exactly the right thing, for what you want to do: you'd install a set of smaller certificates, then eventually delete the large certificate, which you'd no longer be using.

Where we might have different ideas, is why it's not working.

My read of your situation is still that it's the FreeDNS URL redirection setup is preventing the command from succeeding.

Put another way, I don't think that the currently installed certificate (with many SANs) is the cause of the failure.

1 Like

Thank you for the reply. I’ll drill down the dns settings tonight and see what I can do.

-Josh

_az,

So I updated the URL redirect to point to my server IP, create individual certificates for each domain, and delete the one for all certificate.

I was dealing with all sorts of redirects in my Apache vhost files due to the one for all cert.

I then updated certificate file paths for each -le-ssl sites-available file and re-enenabled the ssl sites with the handy a2ensite command (any edit to the sites-available file removed it from the sites-enabled directory).

Happy to report everything is working MUCH better now! Thank you for your insight.

-Josh

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.