Several domains - one IP address

I have a different use case than what I’ve been able to find in the guides (Digital Ocean). I’m not really literate in Linux but I can follow directions. Getting Let’s Encrypt working on 1 computer works great, but my actual use case is not working. Here’s what I need to do:

  • Host various domains from my house.
  • I have one Linux computer with Apache set up to host 3 domains
  • My house can only have 1 IP address (one modem)

Are there any guides that let me use the Let’s Encrypt scripts to make certs for 2+ domains, on one machine, both at the same IP address?

Hi @UFONinja

that's the normal setup.

Select a client.

If you want to use http-01 validation, check, that every domain has a working port 80 vHost.

Then start your client to create certificates.

@UFONinja

I recommend using the staging environment while you work through a new deployment.

3 Likes

Indeed. I just reviewed the Ubuntu install instructions and it’s come quite a long ways since I originally used it. Got multiple domains going just fine. The only remaining issue is that http --> https redirect isn’t working.

1 Like

Then share your vHost configuration and your domain name.

Here is one file… stellar7.ml.conf
The other domains have similar configuration files under /etc/apache2/sites-available.

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin admin@stellar7.ml
	ServerName stellar7.ml
	ServerAlias www.stellar7.ml
	DocumentRoot /var/www/stellar7.ml/public_html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =stellar7.ml
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
1 Like

The redirect does work, but only for the non-www domain but not for www.stellar7.ml.

I don't know if certbot added this redirect (normally, it places comments to explain that it did), but you can fix it by changing

to

It's a port 80 vHost with two domain names (ServerName and Alias). So you don't need a Rewrite Condition.

You want to redirect the complete traffic.

I commented out:

#RewriteEngine on
#RewriteCond %{SERVER_NAME} =stellar7.ml
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Then restarted Apache, but it is not redirecting http://www.stellar7.ml to https://.

Please read some basics about Rewrite Rules and redirects.

You don’t need a condition.

Well I found this: https://httpd.apache.org/docs/current/rewrite/avoid.html#redirect

But I was under the impression that the Certbot did this. I could swear that I remember answering Yes to redirecting http to https.

Hi UFONinja,

Maybe you can try this for your non HTTPS vhost:

<VirtualHost *:80>
  ServerName   stellar7.ml
  ServerAlias  www www.stellar7.ml
  Redirect     permanent / https://stellar7.ml/
</VirtualHost>

I guess, the rest (logs, folder, …) are not needed, as you will not be touching HTTP section anymore.
Jacek

That worked perfectly. Thank you so much.

Glad that it worked for you.

Although, Letsencrypt is strictly about SSL/Security, as such in my opinion using REWRITE rules should be discouraged if REDIRECT is an option. Take a look at those two pages (apache documents):
https://cwiki.apache.org/confluence/display/HTTPD/RedirectSSL
https://cwiki.apache.org/confluence/display/HTTPD/RewriteHTTPToHTTPS
The second page clearly states that “Using mod_rewrite to do this [redirect from HTTP to HTTPS] isn’t the recommended behavior.” Similar thing is hinted in the last paragraph of ‘Simple Redirection’ link you provided.

Thank you, Jacek

2 Likes

@schoen Is there a reason why certbot uses mod_rewrite for these redirects?

1 Like

Let’s ask @bmw (although I think @jdkasten originally added this feature many years ago while he was still the original Certbot developer).

2 Likes

The reason we use mod_rewrite is because we want to be able to only add redirects for the specific domains that we enabled HTTPS for. If your HTTP vhost is being used for other domains and that aren’t in the certificate, redirecting them to HTTPS will cause an error.

2 Likes

Could you clarify it a bit more for me. Redirect will cause an error if

<VirtualHost *:80>
  ServerName   example1.com
  ServerAlias  example2.com
  Redirect     permanent / https://example1.com/
</VirtualHost>

or rather

<VirtualHost *:80>
  ServerName   example1.com
  Redirect     permanent / https://example1.com/
</VirtualHost>
<VirtualHost *:80>
  ServerName   example2.com
</VirtualHost>

where only the example1 is HTTPS enabled.

1 Like

In your first example, http://example2.com will redirect to https://example1.com. This will not cause an error and if you’re OK with the domain change, this works just fine.

In your 2nd example, http://example2.com will not be redirected to HTTPS which is also not an error.

The reason Certbot uses mod_rewrite is to avoid both changing the domain users visit and to avoid doing something like redirecting from http://example2.com to https://example2.com which would cause an error if example2.com doesn’t have HTTPS set up.

3 Likes

Thank you Brad. I have those both cases in my httpd.conf file, and also don’t see any problems. So, we are on the same page here.

However, I still don’t see what is the case that you are trying to describe. I guess, an example of pre-certbot vhosts and SSL requests would help me, as my knowledge is rather limited here.

As far as I can tell, if there are two TLDs involved, the two cases (sans Redirect statements) that I provided cover all possible vhost situations. Of course, on the top of that you need to lay the SSL request. However, from what you are describing, I gather that due to some potential issues with certbot code not having enough information or not having a proper logic, against apache recommendation certbot is pushing REWRITE statements for all possible cases. And one of manifestations of that is this exact thread, where UFONinja is confused (like a lot of others), and a convoluted solution is being pushed on him. Although, this is another issue (the first being certbot producing REWRITE, the second is still pushing REWRITE in this community),

Don’t get me wrong, I don’t have a bone in this discussion, as I need to do manual updates, and modified my httpd.conf/ssl.conf manually. I am also really greatful for what Letsencrypt provides.

Jacek