How to use Let's Encrypt with Dynamically configured mass virtual hostsing

Question

I have a server configured to use Apach 2.4 dynamically configured vhosts. I have SSL configured for some domains but I am asked to use Let's Encrypt free service to provide SSL for all domains.

Certbot was little bit unclear for me as I am not sure if it will work for dynamic vhosts.

My challenge is I have each domain available on a subdomain subXXX.masterdomain.com and a alias yourchoicedomain.com so I need to generate get a certificate form Let's Encrypt that is valid for

subXXX.masterdomain.com
www.subXXX.masterdomain.com
yourchoicedomain.com
www.yourchoicedomain.com

I don't have a very complicate vhosts config file I achieve domain alias and www server alias using symlinks.

<VirtualHost *:80>
    #ServerName masterdomain.me
    #ServerAlias *
    # get the server name from the Host: header
    UseCanonicalName Off
    # include the server name in the filenames used to satisfy requests
    VirtualDocumentRoot "/var/www/vhosts/%0/httpdocs"

    RewriteEngine On

    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteCond %{HTTPS} off
    RewriteRule .* http://www.%{HTTP_HOST}$0 [R=301,L]

    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteCond %{HTTPS} on
    RewriteRule .* https://www.%{HTTP_HOST}$0 [R=301,L]

    <Directory "/var/www/vhosts/*/httpdocs">
        AllowOverride "All"
        Options SymLinksIfOwnerMatch
        Require all granted
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

Any help getting me started will be great.

I would split your ssl vhost config by root domain name, and then build a script with inotify on directory creation to request the new subdomains as sans, you can do sni but you can't use the %0 in your ssl cert path so some static mapping is required for the cert. since you are limited to 100 sans I'd use the parent domain as a separator. — Jacob Evans, Aug 29 '16 at 16:41

score 4 · Accepted Answer · answered Aug 29 '16 at 16:45

Since certbot can't determine the active domain names from your Apache config you'll need to work around that.

Since with mod vhost alias the presence of a subdirectory is what "activates" the domain name I would suggest a simple shell scripts that enumerates all subdirectories (=all active domains) and then run certbot with the --webroot option to create something along the lines of:

certbot certonly --webroot -w var/www/vhosts/www.example.com/httpdocs -d www.example.com -d example.com -w var/www/vhosts/www.example.net/httpdocs -d www.example.net -d other.example.net

Thanks, I will test if I can implement this solution and reply back. — Faraz, Aug 30 '16 at 10:15

score 0 · Answer 2 · answered Jun 05 '17 at 10:46

0

Certbot require directory name and also the domain name. You can add upto 100 as per their documentation and doesn't support wildcard yet.

You just need to add SSL related configurations to vhost alias ( single config file ) but you can use the same cert for all your domains mentioned over vhost.

Still single config file can work for me. Trial and Tested.

answered Jun 05 '17 at 10:46

user418791

1

Can you include your config in your answer? – chicks Jun 05 '17 at 20:07

How to use Let's Encrypt with Dynamically configured mass virtual hostsing

2 Answers2