Setting up Letsencrypt for a single Wordpress Multisite installation with many domains?

Hi,
I made a thread at digital ocean about this, which is where I’m hosting
https://www.digitalocean.com/community/questions/how-to-setup-virtualhosts-properly-for-wordpress-multisite-from-one-click-wordpress-setup-with-letsencrypt
I’m having a really hard time with cerbot to install an SSL cert for more than the first domain.
I’ve tried adding additional blocks of virtual host with each declaring ServerName for the domains.
I’m a novice, I’ve been reading a ton, non of which ended up helping solve this issue.
Please, how do I get this to work? thank you

I used
sudo certbot --apache -d domainname.com
for the first domain and everything worked perfect
But I can’t get it to work either by expanding or new cert for more domains.

Hi @tryhardandfails,

What error message do you get in this case?

Also, what are the domain names that work and that don’t work?

1 Like

This is what certbot --apache -d domainname1.com accepts (in sites-available .conf files for default and ssl)
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =domainname1.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =domainname1.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ServerName domianname1.com
SSLCertificateFile /etc/letsencrypt/live/domainname1.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domainname1.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Attempting to add another domain to either the cert by expanding or add a whole new cert for another domain gives two different errors. Both both revolve around a virtual host issue with what’s above.

If I try to do something like this

<VirtualHost *:80>
      ServerName domainname1.com
      DocumentRoot /var/www/html
        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =domainname1.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
      ServerName domainname2.com
      DocumentRoot /var/www/html
        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =domainname2.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
      ServerName domainname1.com
      DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on

SSLCertificateFile /etc/letsencrypt/live/domainname1.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domainname1.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost *:443>
      ServerName domainname2.com
      DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
#commented out because not setup yet, if I leave this certbot won't install cert either
#SSLCertificateFile /etc/letsencrypt/live/domainname2.com/fullchain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/domainname2.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Everything breaks for wordpress (website can’t be found type errors) and certbot won’t setup/install a second domain name cert. And I need certs for about 20 domain names. I assume this will take something manually done instead of relying on the --apache flag? The virtual hosts setup for this situation is what I’ve been trying my google-fu at and have come up short on working solutions. I don’t use www for any of the domains, and want forced https on all of them, and it seems that would be straightforward… but… what am I doing wrong? thank you

I’d like to know the actual domains and the actual error messages. For example, when you say “certbot won’t setup/install a second domain name cert”, why did it say that it wouldn’t do this? What did it tell you the problem was?

1 Like

-image removed for privacy-

^ This is the first error if I don’t manually try to modify my virtual host files.
Domains are shown in the image

“No vhost exists with servername or alias…”

And if I try to add the 2nd domain to the virtual hosts file with it’s own block like I referenced above to the same documentroot, wordpress breaks. I’ve also read that Certbot doesn’t support alias, is this true? That’s why I tried to give the second domain it’s own block, but it has to use the same document root as domain 1.

I don’t want spam so I’d rather not type out the domains if you don’t mind?

It's often relevant if you get an error message where the CA tried to validate the domain and failed—we can often do tests and see if there is a DNS misconfiguration. In some cases we wasted a pretty large amount of time with problems that experts on this forum could have identified in a matter of seconds if we had seen the domain names, such as a DNS error that we had seen in other cases.

However, I agree that in this case the error does not appear to be one that we could diagnose by seeing the domain name.

In this case, the "note: conf files with multiple vhosts are not yet supported" is probably an important clue. This means that your version of Certbot doesn't know how to deal with an Apache configuration file that contains more than one virtual host definition in the same file (as opposed to the commonly-suggested approach of making a separate file in /etc/apache2/sites-available for each virtual host). This is apparently the case with the configuration files that you posted above... it looks like you're just adding more virtual hosts to 000-default.conf instead of making new, separate Apache configuration files when you add each virtual host. So that might be confusing your Certbot when you try to get certificates that relate to the names supported by your various virtual hosts.

1 Like

So all I need to do is clone that 000-default.conf file for each domain and modify the one part in the file with the respective new domain name and certbot should be able to figure the rest out?

Yes, I think that will likely help with this problem. The convention would be to put them in /etc/apache2/sites-available and then create symlinks into /etc/apache2/sites-enabled (which can be done for you by the program a2ensite).

1 Like

I did as instructed, used
sudo ln -s /etc/apache2/sites-available/domainname2.conf /etc/apache2/sites-enabled/
for enabling/creating symlink.
Ran certbot again.
-image removed for privacy-
It’s exactly the same as 000-default.conf with the exception of the 1st domain being swapped out for the second domain.
so then… figured I needed to add servername to the block in each file.
restarted apache after making those changes
service apache2 restart
and would you know son of a gun it seems to have worked.
thank you! This was a huge help!

Awesome! I’m glad this worked out for you.

1 Like

One last question, I’m behind Cloudflare… in order to activate a cert I have to disable cloudflare. So then for renewals… will they still work with cloudflare up or do I have to figure out 90s periods to disable cloudflare so that the certs will update? Thank you.

For authentication to work behind Cloudflare, you’ll need to use the webroot plugin, because the Apache authenticator needs “direct” access to port 443 on your server.

You can read more about the webroot plugin here.

I recommend to keep using the apache plugin for installing the certificates (using -i apache), but using the webroot plugin for authentication with -a webroot (and the other options required like -w).

1 Like

Thank you, is there an easier to follow tutorial on how I can install/use this plugin and have it auto-renew the installed certs for me?
Eg so do I, or can I, modify the current certs to use webroot for authenticator? -a

edit:
Nvr mind… this seemed to work, could you validate this please?
Running over each existing cert, and then checking if it works

sudo certbot -a webroot -i apache -w /var/www/html -d example.com
sudo certbot certonly --dry-run -w /var/www/html -d example.com

Hope I’m not messing anything up?

edit2:
That didn’t seem to work when doing

certbot renew --dry-run

Did the reinstall I did not replace how the cert authenticates automatically?

You can check with certbot certificates to make sure that you didn’t accidentally create a duplicative certificate.

1 Like

Hi Schoen,
Thank you, no dupes, everything looks good there.
Is there a way to check if the automated renewal process will end up using the webroot plugin instead of the apache plugin?

You can look at the files in /etc/letsencrypt/renewal. They state which plugin will be used as authenticator in the [renewalparams] section.

There’s a difference between using the apache installer plugin and using the “certonly” function without a installer plugin: you’ll have to reload your Apache manually (or through a “hook”, see the certbot manual).

Because you already have valid HTTPS virtualhost generated with the apache installer plugin, there’s really no reason to not use the certonly mode. Just make sure you know what you’re doing.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.