Subdomains and certs again)

paleale 2015-12-15 11:36:25 UTC #1

(Noob!)
As I understand, if I have some subdomens, I should run LE for each subdomain manually, ok?
I can't just specify 2lvl domain.com, because I need wildcard...
But how I can to do this? Webroot or manual section in man... can't get it.

Osiris 2015-12-15 11:51:15 UTC #2

Although wildcard certificates aren't possible, you can specify multiple domains (up to 100 in total), including subdomains of the same "main" domain, so you'll end up with one certificate for all of them. Just add multiple -d switches to the command line of the Let's Encrypt client. It doesn't matter if you use the webroot, manual or whatever plugin As a matter of fact.. I was under the impression that the fully automated Apache of nginx plugin would automatically detect every domain in your server's configuration.. If for some reason an automated plugin isn't working, you can always use the webroot (or manual) plugin.

Example:

letsencrypt-auto certonly --webroot --webroot-path /var/www/vhosts/example.com/htdocs/ -d example.com -d www.example.com --webroot-path /var/www/vhosts/mail.example.com/htdocs/ -d mail.example.com --webroot-path /var/www/vhosts/funkysubdomain.example.com/htdocs/ -d funkysubdomain.example.com --webroot-path /var/www/vhosts/totallydifferentdomain.tld/htdocs/ -d totallydifferentdomain.tld -d www.totallydifferentdomain.tld

As said, the above syntax will generate one certificate with all (sub)domains in the "Subject Alternative Names" section of the certificate. So if a person would surf to example.com, it can read the other (sub)domains in the certificate.

Oh and you can go many "levels" "deep".. I've generated certificates for sub3.sub2.sub1.domain.tld. So I don't know if that's what you meant with "2lvl"? Shouldn't be a problem anyway..

paleale 2015-12-15 12:08:06 UTC #3

Nope, apache automatically shows me only sites described in 000-default.conf, it's now only one main domain, and other subdomains listed in *.conf. I dont know, is it normal.
Listing of subdomains isn't ok. It seems I have to generate 2 certs, one for public services and 2nd for private.
Thanks for such detailed and quick response.

paleale 2015-12-15 13:13:57 UTC #4

It seems that must work. But there is another problem)

Error creating new cert :: Too many certificates already issued for: mydomain.com

Revoked all certs, didn't help. I read that revokation doesn't reset limits. Well, I have to wait 1 week, allright?

jhass 2015-12-15 13:28:01 UTC #5

Yes, or use staging meanwhile.

Osiris 2015-12-15 13:28:28 UTC #6

About the Apache plugin: I have no clue what so ever how it works, because my distro isn't supported yet. At the moment it's just Debian based distro's unfortunately, but there's code in the works (almost finished I believe) that'll add a lot of other distro's, including mine (Gentoo ).

About the rate limit: I'm afraid you're right. In the mean time, you could experiment with the staging server. It has less restrictive limits, but doesn't generate valid certificates. Once you've got the CLI syntax right, you just have to save/remember/write it down and wait (And test it again after the week, because it's all beta and all code is subject to change ofcourse )

paleale 2015-12-15 13:41:52 UTC #7

Aaalright.
Manuals on letsencrypt.readthedocs.org didn't aware me about limits and staging server :\

Esam 2016-10-12 17:28:17 UTC #8

Dear @Osiris. Many thanks for your valuable info.

How the case when one of the subdomains is in different server (and different IP address).

Do you think we still able to included to the same certificate? and how?

schoen 2016-10-12 17:29:53 UTC #9

@Esam, maybe with the DNS challenge, if there's one machine that can update DNS records for that domain? You could use one of the bash-based clients, or versions of Certbot after 0.9.0.

There are other ways too (using manual or script), but they're more work.

Esam 2016-10-12 17:46:23 UTC #10

Wow thanks for your quick response.

Yes the main domain is hosted in GoDaddy which controlling the DNS and I'm already installed Let's Encrypt successfully for the domain and subdomains at the same IP.

Now I have the need to host one of the subdomains in "Digital Ocean" regarding the special need of software's not available at GoDaddy.

So at GoDaddy, I added A(HOST) record for the subdomain pointing to the IP address at Digital Ocean. And Now I'm trying to include it to Let's Encrypt. Or if not possible, then I need to issue a new certificate for this subdomain server only.

schoen 2016-10-12 18:19:53 UTC #11

@Esam, the best approach would be with the DNS challenge, if GoDaddy lets you update DNS records via a compatible interface.

Osiris 2016-10-12 20:32:40 UTC #12

You could also use the webroot plugin and set up a specific host for the acme challenges on the server you're running the Let's Encrypt client, with a dedicated document root. Then, you can redirect every request beginning with /.well-known/acme-challenge/ on the other server to this specific host. That way, you can use just one webroot in the client, but validate other servers as well.