Using LetsEncrypt on multiple domains

Ex0r · April 8, 2016, 3:37am

First off, I would like to say that I LOVE lets encrypt. Being a small startup web development company, you have saved me lots of money in SSL certificates for my clients and sites, and have made it possible for me to incorporate HTTPS into all of the sites I develop.

Secondly, I have a question about the client. When I ran letsencrypt-auto to create a certificate, and it asked me what domains I wanted to apply, I selected all of them in the list. All of the sites are correctly validated via SSL and HTTPS, however when I view the certificate information the domain is the same on all of them (Even though the actual site domain is not).

I am using Apache2 on ubuntu server 14.04

Is there a way to make each domain, and subdomain of each domain (as obtained from apache’s vhost config), to have their own certificate, that shows their own domain? When I first set it up, I had assumed that it would make a seperate certificate for each domain I selected, but it appears that it just made one certificate, and added all of the selected domains into that certificate (Which doesn’t help for showing that each site has its own certificate).

Thanks in advance for the help!

jsha · April 8, 2016, 3:43am

I believe that if you run the client separately for each domain it will generate a separate certificate for each domain, and will renew each of those certificate individually when you run the renew command in the future.

gothic.ie · April 8, 2016, 12:54pm

its only possible to have a separate cert per site if each has a unique ip
in most environments (like ours/cloudflare etc etc) they dont so you just pick the least inappropriate one for the primary
we use hosting.ourprovidername.tld
and then have all the customer/client names in the subject alternate part
so no single customer gets preferential treatment

pfg · April 8, 2016, 1:07pm

That's not quite correct - mainstream web browsers have had Server Name Indication support for almost a decade.

CloudFlare supports SNI backends and makes heavy use of SNI for their Free SSL offering.

Unless you have to support outdated clients (which aren't receiving updates anymore, and hence very insecure), SNI should be just fine.

Ex0r · April 8, 2016, 1:19pm

So then would doing what jsha has suggested work, and run ./letsencrypt-auto individually for each domain i’d like to certificate?

pfg · April 8, 2016, 1:30pm

Yep! As long as you don’t have any clients without SNI support, that would work.

Ex0r · April 8, 2016, 1:43pm

Yep, I just verified, it actually does work! One question though, is there a way to select manually which ‘primary’ domain each certificate is for? I have a domain, example.com that has example.com, mysql.example.com, and www.example.com, and it’s defaulting mysql.example.com as the site name, and using example.com and www.example.com as alternatives. It’s not a huge deal, i’m just part OCD.

pfg · April 8, 2016, 1:52pm

IIRC the client uses the first domain it encounters as the Common Name, so whatever you pass as the first -d argument should end up in that field. Don’t quote me on that, though.

system · May 8, 2016, 1:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.