Letsencrypt and Multiple Domains

Running multiple domains on a single server is common nowadays. Providing web content over https is a good practice as well. Here is how to configure letsencrypt service to handle multiple domains.

Certbot Installation

Follow the official installation procedure presented in https://certbot.eff.org/.

Initialization

I run two domains on my server: hex64.com and rygielski.xyz. This blog is a subdomain blog.hex64.com. I want to issue separate certificates for each of the three (sub)domains. For this, run the following three commands:

/root/certbot/certbot-auto certonly --webroot -w /var/www/ghost -d blog.hex64.com -d www.blog.hex64.com
/root/certbot/certbot-auto certonly --webroot -w /var/www-rygielski.xyz -d rygielski.xyz -d piotr.rygielski.xyz -d www.rygielski.xyz -d www.piotr.rygielski.xyz
/root/certbot/certbot-auto certonly --webroot -w /var/www-hex64 -d hex64.com -d www.hex64.com -w /var/www-hex64/piotr -d piotr.hex64.com -d www.piotr.hex64.com 

In each run, I specify which domain names should be supported (parameter -d) and where the webroot is placed (i.e., usually /var/www), so that the certbot can find it. Notice, that you can provide multiple -w in a single command. Each command will create a new directory with certificate under /etc/letsencrypt/live so make sure that you do not bunch all domains into a single command, because the names for the directories are generated automatically. For the last set of domains (the third command), the certificates for hex64.com and piotr.hex64.com will be stored in /etc/letsencrypt/live/hex64.com.

Renewal

The certificates must be renewed at least once per month. For this, I use the renew option of certbot:

/root/certbot/certbot-auto renew

It handles automatically all three domains for me. Even the domains added in the future will be renewed automatically with this command.

You want to add the renewal into crontab. This line will do the job:

# m h  dom mon dow   command
30 2 * * 1 /root/certbot/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start" >> /var/log/cert-renew.log  

Thin means that on every Monday (dow=1) at 2:30 AM (m=30,h=2) the certificates will be renewed. The nginx server will be stopped before the renewal and started again once the renewal is done.

Configuring nginx

Nginx configuration is relatively simple. Just edit /etc/niginx/sites-available/your.site.conf and add the following lines to the server section:

server {  
        # ... some other content, e.g., handling port 80
        listen   443 ssl;

        ssl_certificate /etc/letsencrypt/live/YOUR.DOMAIN.COM/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/YOUR.DOMAIN.COM/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_timeout 1d;
        # ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;

        server_name YOUR.DOMAIN.COM;
        # ... rest of config
}

Make sure to use the right domain name as YOUR.DOMAIN.COM. You can always check how the directories for your certificates are named by issuing ls /etc/letsencrypt/live/. Im my case, the YOUR.DOMAIN.COM equals to blog.hex64.com.

Next, test if your nginx config is okay nginx -t and if yes, then reload the server sudo service nginx reload.