Requesting multiple certificates with webroot only returns one certificate?

Hi!

I’m trying to request new certificates via the webroot method. I’m currently using the --staging option to get it right before I automate the process.

(My webserver is currently not running. Therefor my real domains are not accessible, so I’ll explain using made up domain names to simplify).

I currently have three domains. All subdomains of domain.com (sub1, sub2 and sub3). They are all correctly configured through Apache (as virtual hosts) with an alias to map .../.well-known/acme-challenge to a common folder where certbot puts its challenges. The challenges are successfull, but while the challenges are running, I only see one file under .../.well-known/acme-challenge. Shouldn’t there be a challenge file for each domain?

When I run my command:

certbot certonly --webroot -w /var/www \
--staging \
--email ########## \
-d sub1.domain.com -d sub2.domain.com -d sub3.domain.com \
--rsa-key-size 4096 \
--agree-tos \
--force-renewal

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:                                         /etc/letsencrypt/live/sub1.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sub1.domain.com/privkey.pem
   Your cert will expire on 2020-01-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Which looks like only the first certificate was produced.

Looking into my .../letsencrypt/live/-folder I can confirm that it only contains sub1.domain.com.

I can post the logs if requested.

Does anyone know why I only get certificates for one of my domains? Is it because I use a common challenge folder for all the domains?

I have full control over the server, domains etc and is running certbot in a Docker container. Certbot version is: certbot 0.39.0

Any help is greatly appreciated!
-Vis

When you run Certbot once, it creates one certificate, including all of the names requested.

The directory is named after the first -d option, but every name is included in the certificate.

(Unless, potentially, you use the --allow-subset-of-names option and validation fails for some names.)

What is the output of "certbot certificates"?

If your ACME account has recently validated the same names, Certbot doesn't have to do so again, so it may have only needed to validate some or none of the names in the certificate.

If that output is complete, that suggests it didn't have to validate any names. If it had to do any validations, it would have listed them in between those two lines.

1 Like

Hi @Vis

if you have validated a domain name, the result is 30 days cached and re-used.

So no challenge is required.

Perhaps that explains why you see only one validation file.

Amazeballs, you are right! They are all packed into the same file!

I suspected it might be something like that, but I had no way to verify, as opening the certificates yields no information as to which domains they cover. certbot certificates did the trick! It lists up all three domains under the same certificate name.

Is there however any way to separate the certificates? Before I thought of asking the good folks here I was going to request the certificates one by one, but requesting the certificates individually takes a lot more time. One request would be preferable, but as this is just done once, it’s not a very big deal. I just prefer elegant solutions :sunglasses:

Side note: part of the reason why I’d like to have separate certificates is that they will be used in different apps potentially on separate machines at least in separate VMs/containers.

Thanks for the reply, Juergen!

I realized there was some kind of caching as the response varied from the first request to the next test. I thought it might be related too, but trying with two new domains didn’t make any difference.

But it looks like mnordhoff was right. The certificate is valid for all three domains and the name was taken from the first -d argument.

Do you have any idea how I could separate the certificates without doing three separate requests? :thinking:

Any help is appreciated :innocent:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.