I have a working setup for multiple virtual hosts on the same server, but there's a problem: all the server's SSL certificates are unnecessarily renewed, and moved, whenever a vhost is added.
In this setup, each vhost has a separate .conf file, and the host is individually enabled with a2ensite.
For 2 sites, this looks like:
MDomain foo.com
MDStoreDir /var/apache-md/foo.com
<VirtualHost *:443>
ServerName foo.com
DocumentRoot /var/www1
...
</VirtualHost>
and:
MDomain bar.com
MDStoreDir /var/apache-md/bar.com
<VirtualHost *:443>
ServerName bar.com
DocumentRoot /var/www2
...
</VirtualHost>
When I enable foo.com and reload Apache, I get a certificate in /var/apache-md/foo.com/domains/foo.com/pubcert.pem. So far, so good. But when I later enable bar.com, I now get 2 new sets of certificates, and end up with:
/var/apache-md/foo.com/domains/foo.com/pubcert.pem/var/apache-md/bar.com/domains/foo.com/pubcert.pem/var/apache-md/bar.com/domains/bar.com/pubcert.pem
If I run
$ openssl s_client -connect foo.com:443 -prexit
I find that Apache is now serving certificate 2 for foo.com, not certificate 1. This is obviously not a good way to do this: it seems that every time I add a vhost all the certificates get renewed and are all stored in the location for the last host added.
I have also tried setting MDStoreDir to the same location (/var/apache-md) for all hosts, but I couldn't get this to work. mod_md seems to check whether this directory exists. If it already exists, it won't get a new certificate. Any ideas on how to best do this?
No idea which version of mod_md I'm using; there doesn't seem to be a way to find out. It's fairly recent (Apache 2.4.52 on Ubunut 22.04).
