Hello,
Is there an option to install “Let’s Encrypt” on one server and it issues a certificate for multiple servers?
I assume the server will ask for CSR of other servers and it’ll generate public & private keys.
Thanks.
You can use the “manual” method (whereby you provide the CSR of other servers) yes.
1 Like
Even in manual mode there's no explicit need to generate your own CSR: the Let's Encrypt client can do that for you. Granted, if you'll generate all the private keys and CSR's on those other servers, it'll save you the hassle of transferring the privkey.pem safely from the Let's Encrypt client to those other server in the case you let the client handle everything. But it is possible 
1 Like
Thanks a lot for the quick respond!
Is there any guide that explains about the manual method process?
What steps should I take to create the certificates?
There is a detailed description at https://www.tty1.net/blog/2015/using-letsencrypt-in-manual-mode_en.html of using manual mode if that helps.
2 Likes
Sorry for the stupid question, but can you tell me where should I add [SAN] configuration?
For example:
[SAN]
subjectAltName=DNS:example.com,DNS:www.example.com,DNS:example.net,DNS:www.example.net
Maybe at: /etc/pki/tls/openssl.cnf ?
1 Like
Yes it would need to go into the openssl.cnf file - you can always copy the default file to an alternate file - see http://wiki.cacert.org/FAQ/subjectAltName
2 Likes
Depends on your distribution. On my Gentoo it’s found in /etc/ssl/openssl.cnf
Alright, I understood.
So I can create a new openssl.cnf file that contains the specific content, for example:
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ san ]
subjectAltName=${ENV::SAN}
Am I right?
Yes, and then you can use that specific config file with openssl by using the -config your_config_file.cfg option.
1 Like
I received the following error:
ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/challenge/4xKGIQeGfUexEHDaN66bGijM-4HUH4dwPQiqQQFLUJQ/1503077 (Status 400)
Do you know what is it?
[quote=“asaf, post:11, topic:6562”]
Do you know what is it?
[/quote]Do provide what command line you used.
./letsencrypt.sh -config config.sh
Sorry, I thought you were following the manual method as explained in Using Let's Encrypt in manual mode
and that you were trying (originally to do the step)
openssl req
-new -newkey rsa:2048 -sha256 -nodes
-keyout privkey1.pem -out signreq.der -outform der
-subj "/C=UK/ST=Some State/L=Some Place/O=example.com/emailAddress=webmaster@example.com/CN=example.com"
-reqexts SAN
since you were asking about the SAN. My comment about the -config was on that line ( for openssl) and not the LE scrypt.
Ahh... alright,
By the way, I've tried to do the manual method but It didn't worked for me.
I added;
[SAN]
subjectAltName=DNS:example.com,DNS:www.example.com,DNS:example.net,DNS:www.example.net
to the openssl.cnf file and edit config.sh file to point on openssl.cnf file.
Then I wrote in the command line:
openssl req
-new -newkey rsa:2048 -sha256 -nodes
-keyout privkey1.pem -out signreq.der -outform der
-subj "/C=UK/ST=Some State/L=Some Place/O=example.com/emailAddress=webmaster@example.com/CN=example.com"
-reqexts SAN
and I received the following error:
Error Loading request extension section SAN
Where does config.sh come from? 
https://www.tty1.net/blog/2015/using-letsencrypt-in-manual-mode_en.html doesn’t mention any config.sh file, so I have no idea what the config.sh file you edited was, but I don’t think it has anything do so with the openssl command, hence the openssl command has (I’m assuming) no idea about the local “openssl.cnf” file you created defining SAN. Hence you are getting the error loading the section “SAN”.
OK… so where should I add:
[SAN]
subjectAltName=DNS:example.com,DNS:www.example.com,DNS:example.net,DNS:www.example.net
??
You can either add it to your main openssl.cnf file, or you can copy / create a new openssl conf file ( possibly called openssl-mydomain.cnf )
If you add it to the correct openssl.cnf file - you can use the openssl command as above ( with obviously changing the values for subject, keys etc). If you created openssl-mydomain.cnf then you will need to add -config openssl-mydomain.cnf onto the openssl command when generating the key and a Certificate Signing Request
1 Like
Thank you very much!