Running multiple domains on a single server is common nowadays. Providing web content over https is a good practice as well. Here is how to configure letsencrypt service to handle multiple domains.

Certbot Installation

Follow the official installation procedure presented in


I run two domains on my server: and This blog is a subdomain I want to issue separate certificates for each of the three (sub)domains. For this, run the following three commands:

/root/certbot/certbot-auto certonly --webroot -w /var/www/ghost -d -d
/root/certbot/certbot-auto certonly --webroot -w /var/ -d -d -d -d
/root/certbot/certbot-auto certonly --webroot -w /var/www-hex64 -d -d -w /var/www-hex64/piotr -d -d 

In each run, I specify which domain names should be supported (parameter -d) and where the webroot is placed (i.e., usually /var/www), so that the certbot can find it. Notice, that you can provide multiple -w in a single command. Each command will create a new directory with certificate under /etc/letsencrypt/live so make sure that you do not bunch all domains into a single command, because the names for the directories are generated automatically. For the last set of domains (the third command), the certificates for and will be stored in /etc/letsencrypt/live/


The certificates must be renewed at least once per month. For this, I use the renew option of certbot:

/root/certbot/certbot-auto renew

It handles automatically all three domains for me. Even the domains added in the future will be renewed automatically with this command.

You want to add the renewal into crontab. This line will do the job:

# m h  dom mon dow   command
30 2 * * 1 /root/certbot/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start" >> /var/log/cert-renew.log

Thin means that on every Monday (dow=1) at 2:30 AM (m=30,h=2) the certificates will be renewed. The nginx server will be stopped before the renewal and started again once the renewal is done.

Update (May 2017):

Due to the problems with automated certificate renewal, I needed to switch to the standalone mode of verifying the domain. This requires to add the --standalone parameter to the command. The current crontab looks like this:

30 2 * * 1 /root/certbot/certbot-auto renew --standalone --pre-hook "service nginx stop" --post-hook "service nginx start" >> /var/log/cert-renew.log
35 2 * * 1 /user/sbin/service nginx reload

Configuring nginx

Nginx configuration is relatively simple. Just edit /etc/niginx/sites-available/ and add the following lines to the server section:

server {
        # ... some other content, e.g., handling port 80
        listen   443 ssl;

        ssl_certificate /etc/letsencrypt/live/YOUR.DOMAIN.COM/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/YOUR.DOMAIN.COM/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_session_timeout 1d;
        # ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;
        server_name YOUR.DOMAIN.COM;
        # ... rest of config

Make sure to use the right domain name as YOUR.DOMAIN.COM. You can always check how the directories for your certificates are named by issuing ls /etc/letsencrypt/live/. Im my case, the YOUR.DOMAIN.COM equals to

Next, test if your nginx config is okay nginx -t and if yes, then reload the server sudo service nginx reload.