Wildcard SSL for Dynamic Virtual Host

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: whiki.online

I ran this command:

It produced this output:

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): 20.04.5

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.29.0

I'm currently running several MediaWiki sites on my sever (located at /var/www/html/mediawiki), and also an Wordpress site (located at /var/www/html/whiki.online). I'm using several Virtual Host files to point each wiki (i.e. wiki1.whiki.online, wiki2.whiki.online) to the MediaWiki install, and a separate Virtual Host file for the Wordpress install.

I want to combine all of the Virtual Hosts under one wildcard Virtual Host, but this also means I need a wildcard SSL set up. I've done some research and come up with this, which I believe may work?

<VirtualHost *:80>
    DocumentRoot /var/www/html/mediawiki
    ServerAlias *.whiki.online
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
  </VirtualHost>

<VirtualHost *:80>
  DocumentRoot /var/www/html/whiki.online
  ServerName whiki.online
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot /var/www/html/mediawiki
    ServerAlias *.whiki.online
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLCertificateFile /etc/letsencrypt/live/whiki.online-0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/whiki.online-0001/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot /var/www/whiki.online
    ServerName whiki.online
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLCertificateFile /etc/letsencrypt/live/whiki.online/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/whiki.online/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

(I've already generated the Lets Encrypt wildcard cert, which lives at the /live/whiki.online-001 location). I'm a little unsure if the above VH file is correct, though, and what the process for swapping them over would be — if the file is correct, can all of the VH go in one file, or do the HTTP and the HTTPS ones have to go in separate VH files?

I assume then (if the code is correct), I can just enable the file (or files) via Apache, and then disable the other ones? Is it as easy as just disabling them through a2dissite *, or do I have to do something more?

Any help would be appreciated!

Hi @ArrakisMiner, and welcome to the LE community forum :slight_smile:

Although your question is not really related to LE certs or an ACME client...

Yes; In the end, Apache will make one big configuration file from more (or less) files.
The four vhosts can be in one file or four files - there is no significant difference.

Not enough information was given to make that kind of judgement.

That depends on the names those other files serve and the content they individually provide.

That depends on what your goal is and what the unshown files are currently doing.

Sorry that I haven't provided much clarity/answers to your questions.
But once enough information has been provided, the clarity/answers will soon follow.

4 Likes

They serve subdomains, such as wiki1.whiki.online, wiki2.whiki.online, and the contents (one of the wikis for example) are as follows:

<VirtualHost *:80>
    ServerName wiki1.whiki.online
    DocumentRoot /var/www/html/mediawiki
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =wiki1.whiki.online
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

and then, the one generated by certbot:


<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName wiki1.whiki.online
    DocumentRoot /var/www/html/mediawiki
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/wiki1.whiki.online-0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/wiki1.whiki.online-0001/privkey.pem
</VirtualHost>
</IfModule>

The ultimate goal is to not have to create new Virtual Host files, and then request certificates for them via Certbot, for every wiki that is created. Instead, I want one Virtual Host Wildcard, and to apply a wildcard LE cert to it from certbot (if that makes sense?)

Answer this.
Given:

vhost1:
    ServerName wiki1.whiki.online
    DocumentRoot /var/www/html/mediawik

Will subsequent wiki sites...

vhost2
    ServerName wiki2.whiki.online
  also use that same content location:
    DocumentRoot /var/www/html/mediawik
  OR will use some other location:
    DocumentRoot /var/www/html/filewik
2 Likes

They'll all use the same directory, yes. I just need any subdomain *.whiki.online to point to /var/www/html/mediawiki whilst the domain itself, should just point to /var/www/html/whiki.online

Then your file with the four vhosts would do that nicely.

2 Likes

Okay perfect, thank you! What would the process be? Would I just disable the others and enable that one? I've only ever used the automatic certbot to generate the HTTPS versions of the virtual hosts so I'm a little irky, throwing it in /sites-available/ and enabling it and then disabling the others would be fine?

Edit: Tried it and it worked — thank you for the help!

2 Likes