Apparently this does not work, I do not get the second domain entered: https://ssl-tools.net/webservers/rpg-foren.com
It also doesn’t look like everything is replaced correctly, the ecc file is missing the subdomain:
cat /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
issue_cert() {
  LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue $2 -d rpg-foren.com -d www.rpg-foren.com --keylength $1 -w /var/www/discourse/public
}
cert_exists() {
  [[ "$(cd /shared/letsencrypt/rpg-foren.com$1 && openssl verify -CAfile <(openssl x509 -in ca.cer) fullchain.cer | grep "OK")" ]]
}
########################################################
# RSA cert
########################################################
issue_cert "4096"
if ! cert_exists ""; then
  # Try to issue the cert again if something goes wrong
  issue_cert "4096" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
  --installcert \
  -d rpg-foren.com \
  -d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com.cer \
  --keypath /shared/ssl/rpg-foren.com.key \
  --reloadcmd "sv reload nginx"
########################################################
# ECDSA cert
########################################################
issue_cert "ec-256"
if ! cert_exists "_ecc"; then
  # Try to issue the cert again if something goes wrong
  issue_cert "ec-256" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
  --installcert --ecc \
  -d rpg-foren.com \
  --fullchainpath /shared/ssl/rpg-foren.com_ecc.cer \
  --keypath /shared/ssl/rpg-foren.com_ecc.key \
  --reloadcmd "sv reload nginx"
if cert_exists "" || cert_exists "_ecc"; then
  grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"
fi
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
I have just executed the following manually, now the certificates fit:
/shared/letsencrypt/acme.sh --issue --force -d rpg-foren.com -d www.rpg-foren.com --keylength 4096 -w /var/www/discourse/public --server letsencrypt
/shared/letsencrypt/acme.sh --issue --force -d rpg-foren.com -d www.rpg-foren.com --keylength ec-256 -w /var/www/discourse/public --server letsencrypt
/shared/letsencrypt/acme.sh --installcert -d rpg-foren.com -d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com.cer --keypath /shared/ssl/rpg-foren.com.key --reloadcmd "sv reload nginx"
/shared/letsencrypt/acme.sh --installcert -d rpg-foren.com -d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com_ecc.cer --keypath /shared/ssl/rpg-foren.com_ecc.key --reloadcmd "sv reload nginx"
this is my rewrite for forwarding:
   # tell letsencrypt what additional certs to get
    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /--keylength/
        to: "-d www.rpg-foren.com --keylength"
    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /--fullchainpath/
        to: "-d www.rpg-foren.com --fullchainpath"
    - file:
        path: /etc/nginx/conf.d/discourse_redirect.conf
        contents: |
          server {
            listen 80;
            listen 443 ssl;
            server_name www.rpg-foren.com;
            return 301 $scheme://rpg-foren.com$request_uri;
            ssl_protocols TLSv1.2 TLSv1.3;
            ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
            ssl_prefer_server_ciphers off;
            ssl_certificate /shared/ssl/rpg-foren.com.cer;
            ssl_certificate /shared/ssl/rpg-foren.com_ecc.cer;
            ssl_certificate_key /shared/ssl/rpg-foren.com.key;
            ssl_certificate_key /shared/ssl/rpg-foren.com_ecc.key;
            ssl_session_tickets off;
            ssl_session_timeout 1d;
            ssl_session_cache shared:SSL:1m;
          }
Is it possible that a replace command is only executed once?