One certificate for many domains


#1

Hi!,

It’s possible to issue just one certificate for many domains? there’s any kind of problem with that? right now I’m using:

certbot-auto certonly --standalone --email XXXX@domain.com -d domain.com -d www.domain.com -d blog.domain.com -d another.domain.com

I’m with nginx, and I need to stop and start the service every time I need to renew/issue, so I would like to use --webroot, but I have differents paths and apps for every domain, eg: domain.com and www.domain.com are in /var/www/domain but blog.domain.com is on /var/www/blog .It’s possible to have anyway one certificate for all the domains? what would be the drawbacks? the command would be like this:

certbot-auto certonly --webroot -w /var/www/domain -d domain.com -d www.domain.com -d blog.domain.com -d another.domain.com

thanks!


#2

@punchi, what you describe should work properly in the way you’ve described it, except that you need to add another -w for the domains using a different domain, like

-w /var/www/domain -d domain.com -d www.domain.com -w /var/www/blog -d blog.domain.com -d another.domain.com

This is also assuming that another.domain.com also uses the /var/www/blog webroot; otherwise, you need a 3rd -w to specify the webroot for that site.


#3

Thanks for the reply @schoen! but what if I leave all the domains just with -w /var/www/domain ?? eg.

certbot-auto certonly --webroot -w /var/www/domain -d domain.com -d www.domain.com -d blog.domain.com -d another.domain.com

why should I separate into differents webroots if I could point all the SSL certificates paths to the same one?? and they’ll be created on /etc/letsencrypt/live/ ??


#4

The webroot is used for authenticating your control over each domain, so it needs to match where the content of each site is served from – because the webroot plugin is going to change that content as part of the authentication process. If you have three different sites with different content, you need to supply three different -w values so that Certbot knows where to make the changes in response to the challenges associated with each domain.


#5

Thanks! :slight_smile:


#6

It’s also possible to run letsencrypt separated for each directory, but the solution above is of course smarter,


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.