How to issue Let's Encrypt certificates for multiple websites (Nginx and Apache)
Last updated: November 10th 2022
Issuing Let's Encrypt certificates for multiple websites in a shared server / virtual hosting environment
Let's Encrypt is a free and open-source authority run by Internet Security Research Group that offers free SSL certificates for your domain. Let's Encrypt SSL certificates is absolutely free and also used for production use as well. In order to install Let’s Encrypt free SSL, you will need a valid domain name pointed with your server IP and it will issue a certificate for you.
In our previous tutorials, we learned How to Configure Nginx to serve Multiple Websites and How to Configure Apache to serve Multiple Websites
Now, we will learn how to configure Certbot to issue Let's Encrypt certificates for all your websites.
Please note: Doing these actions may bring down your server. Do not do this on a live site without knowing the potential consequences.
Prerequisites
- A fresh Webdock cloud Ubuntu instance with a LAMP/LEMP stack installed.
- Two valid domain names are pointed with your VPS IP address. In this tutorial, we will use web1.webdock.io and web2.webdock.io.
- You have shell (SSH) access to your VPS.
Let's Encrypt Certificates and Nginx
In this section we will learn how to configure certbot to issue Let's Encrypt certificates for your websites web1.webdock.io and web2.webdock.io. We will also learn how to configure cron job to renew Let's Encrypt certificates automatically.
Warning: Please make sure you have not set the domains you are trying to generate certificates for in the Server Identity tool in Webdock as this will write the domain names to the standard webdock config at /etc/nginx/sites-enabled/webdock and confuse Certbot. If you need reverse DNS and hostname set, then after using Server Identity in Webdock, make sure you remove the domain names you are creating certificates for below from the default webdock nginx config file.
Configure Certbot to issue Let's Encrypt certificates for the first website
You start with generating a certificate for one of your websites, in this example web1.webdock.io.
Certbot is a simple and an easy to use tool that helps you to download and install Let's Encrypt free SSL for your domain automatically and comes already installed on Webdock stacks.
You can run the following command to install Let's Encrypt free SSL for website web1.webdock.io:
certbot --nginx -d web1.webdock.io
If everything goes fine, you should see the following output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Obtaining a new certificate Performing the following challenges: http-01 challenge for web1.webdock.io Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/web1.webdock.io.conf
Next, certbot will ask to choose whether or not to redirect HTTP traffic to HTTPS. Option 1 will only download the SSL certificates and does not change your Nginx configuration file. Option 2 will download the SSL certificates and configure Nginx to use this certificate. Select option 2 and hit Enter to continue:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Once the Let's Encrypt certificates have been installed successfully, you should see the following output:
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/web1.webdock.io.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://web1.webdock.io You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=web1.webdock.io - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/web1.webdock.io/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/web1.webdock.io/privkey.pem Your cert will expire on 2019-11-20. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Repeat the same process for your other websites
You would now proceed to repeat the process for all your other websites, exchanging the web root and domain names as is appropriate for your sites.
Once you have finished, you can test your SSL certificates by visiting the URL https://www.ssllabs.com/ssltest/analyze.html
Automate Let's Encrypt Certificate Renewal
Note: The following instructions are not necessary if you use the latest snap version of certbot as certbot runs a systemd timer where the certs are renewed every 12 hours. Let’s Encrypt certificates are valid only for 90 days. So, it is recommended to configure cron job to renew Let's Encrypt Certificate automatically.
You can setup cron job by editing crontab file:
crontab -e
Add the following line:
10 11 * * * root /usr/bin/certbot renew >/dev/null 2>&1
Save and close the file, when you are finished.
This cron job will run daily at 11:10 AM, check the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
You can also renew the certificates manually with the following command.
certbot renew
If you want to just do a test to see whether certificates are being renewed correctly, you can issue the command with the --dry-run option.
certbot renew --dry-run
Let's Encrypt certificates and Apache
In this section we will learn how to configure certbot to issue Let's Encrypt certificates for your websites web1.webdock.io and web2.webdock.io. We will also learn how to configure cron job to renew Let's Encrypt certificates automatically.
Configure Certbot to issue Let's Encrypt certificates for the first website
You start with generating a certificate for one of your websites, in this example web1.webdock.io.
Certbot is a simple and an easy to use tool that helps you to download and install Let's Encrypt free SSL for your domain automatically.
You can run the following command to install Let's Encrypt free SSL for website web1.webdock.io:
certbot --apache -d web1.webdock.io
You should see the following output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Obtaining a new certificate Performing the following challenges: http-01 challenge for web1.webdock.io Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/web1.webdock.io-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/web1.webdock.io-le-ssl.conf Enabling available site: /etc/apache2/sites-available/web1.webdock.io-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Choose the appropriate option and hit Enter. You should get the following output:
Redirecting vhost in /etc/apache2/sites-enabled/web1.webdock.io.conf to ssl vhost in /etc/apache2/sites-available/web1.webdock.io-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://web1.webdock.io You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=web1.webdock.io - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/web1.webdock.io/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/web1.webdock.io/privkey.pem Your cert will expire on 2019-11-20. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Repeat the same process for your other websites
You would now proceed to repeat the process for all your other websites, exchanging the web root and domain names as is appropriate for your sites.
Once you have finished, you can test your SSL certificates by visiting the URL https://www.ssllabs.com/ssltest/analyze.html?d=web1.webdock.io.
Automate Let's Encrypt Certificate Renewal
Let’s Encrypt certificates are valid only for 90 days. So, it is recommended to configure cron job to renew Let's Encrypt Certificate automatically.
You can setup cron job by editing crontab file:
crontab -e
Add the following line:
10 11 * * * root /usr/bin/certbot renew >/dev/null 2>&1
Save and close the file, when you are finished.
This cron job will run daily at 11:10 AM, check the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
You can also renew the certificates manually with the following command.
If you want to just do a test to see whether certificates are being renewed correctly, you can issue the command with the --dry-run option.
certbot renew --dry-run