Two web sites using same certificate path?

I'm sure this has been asked before but search isn't coming up with anything yet...

Is there anything stopping me from having two websites using the same certificate path?

I'd like to set up MTA-STS for my domain and right now I have www.domain.com using:

/etc/letsencrypt/live/www.domain.com/*

So if I add mta-sts.domain.com to that certificate, then set up that website, can I re-use the cert at /etc/letsencrypt/live/www.domain.com/* for it?

I'd rather just have fewer certs to manage.

Yes, one cert can have multiple names. A cert must include the name that appears in the URL.

But, generally it is easier to have one cert for each virtual host (such as Apache VirtualHost or nginx server block).

Adding or subtracting names from certs can be awkward.

To combine it, if you are using an HTTP challenge you must setup the virtual host for port 80 for that new domain name first. Then expand the previous cert and then you can have the new virtual host use that new cert.

I could be more specific if you had provided more info from the form you were shown

5 Likes

You have 2 options:

1- Get a second certificate to cover the second domain (recommended)
2- Expand the existing certificate to also cover the second domain (look up "add domain to certificate certbot")

It is generally recommended to use multiple certificates, because issues on one domain can prevent a renewal of the certificate -- meaning the other domain can not get renewed until you fix whatever problems are at hand.

7 Likes

OK thanks.

I guess it's because mta-sts requires an https URL for every domain that needs it (a whole web server to serve a single five line file!), so I thought that rather than double the number of certificates in my list, I'd expand the ones I have instead. I still have to have a bunch of Apache configs though, unless I can do some re-write to serve the mta-sts policy URL from the existing Apache hosts.

I can try it with a test server I think.

3 Likes

Great Point. Thanks for that.

4 Likes

Yeah, but it looks like OP is just talking about subdomains, right? For subdomains I'd rather include all the hostnames into a single cert.

Yes, sorry should have made that a bit clearer in my question because MTA-STS is a bit of special case, and it's a bit hard to imagine how one subdomain would fail on the same domain.

2 Likes

Also (serves me right for posting before thinking this through) - I can I think just use Apache's ServerAlias directive for the web server, and add that subdomain (confusingly termed "domain" for certot) to the cert. That way I don't get any config proliferation at all.

1 Like