1

I have an apache webserver that uses certbot for Let's Encrypt SSL certificate. Is it possible to have many separated certificates for each virtualhost managed? Currently certbot works with only one certificate with many alternate names.

I have this requirement to not publish to all client (in certificate details of the browser) the domain list of my webserver.

Tobia
  • 1,272
  • 9
  • 41
  • 81

2 Answers2

2

On Certbot's side there is no problem. Just request a certificate for each domain and Certbot will renew them automatically.

Since Apache 2.4 supports Server Name Indication, there is no problem on this side either. You just need to configure a different certificate for each virtual host:

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
<VirtualHost *:443>
    ServerName example.net
    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/example.net/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.net/privkey.pem
</VirtualHost>

Edit: If you don't want certbot to mangle with your Apache configuration, use the webroot plugin. Create a directory for certbot:

mkdir -p /var/www/certbot/.well-known/acme-challenge

Add an alias to all your <VirtualHost>'s running on port 80 or globally:

Alias "/.well-known/acme-challenge/" "/var/www/certbot/.well-known/acme-challenge/""

Run cerbot with the webroot plugin:

certbot certonly --webroot -w /var/www/certbot -d example.com -d www.example.com

Certbot will remember those settings, when renewing the certificates.

Piotr P. Karwasz
  • 5,748
  • 2
  • 11
  • 21
  • 1
    While this works just fine, I prefer acme.sh. Which is another tool like certbot, except it's written in shell. – Steven DeWitt Jan 03 '20 at 00:19
  • We weren't sure what the automated certificate install would do to our multi-site multi-server reverse proxy set of config files, so we opted to use the certbot webroot and certonly options. See https://certbot.eff.org/docs/using.html#webroot then we manually added virtualhost config lines like in this answer to our config files. – BeowulfNode42 Jan 03 '20 at 00:47
  • Your apache configuration example looks like my configuration, but the problem is that certbot-auto script merges the request and uses one single certificate for all sites. Is there any solution than configuring manually? Maybe a certbot param? – Tobia Jan 03 '20 at 07:25
  • I added some details on using certbot with the **webroot** plugin, which does not mangle with the server's configuration. – Piotr P. Karwasz Jan 03 '20 at 09:54
0

If you hace your virtual servers configured, when you run certbot --apache it will ask you for which domain you want the certificate.

arturo.mj
  • 1
  • 1