Setting up Let’s Encrypt with Multiple Domains

Good idea! It is now a wiki!

3 Likes

Thanks Jeff, I’ve updated the first post with @brahn’s updates from Jul '17

3 Likes

Got a suspicion something’s changed here, this script no longer works fully. One of my subdomains isn’t working anymore. I’ll investigate when I have more time. But FYI and perhaps someone will know something …

3 Likes

Yeah, looks like the web.letsencrypt.ssl.template.yml has changed recently and the after_ssl replace hook will no longer work. Unless someone else fixes it first I will eventually get to it but I am swamped at the moment so it might take a few weeks.

4 Likes

Since this commit from @gerhard the subject alternate names are no longer added due to the implementation of ECC. This effectively breaks any multisite installations which use the above method. cc:@sam

4 Likes

:crying_cat_face: A site that I just attempted to upgrade is no longer getting certs at all.

EDIT: Just saw @gerhard’s edit. I’ll give it a shot in a minute and report back.

1 Like

Yeah, the edit in the OP is untested, but I think it should work. I’d like to make this less fragile… maybe I can add some kind of env variable for all the hostnames, so that the hacky replace isn’t needed anymore.

And sorry for the problems this new elliptic curve certificate caused. I didn’t know that this Howto topic existed, otherwise I would have been more careful. :blush:

5 Likes

Thanks, @gerhard! I can confirm that it works!

The site that I just upgraded works for both example.com and https://www.example.com (which redirects to apex domain).

2 Likes

Why did we need this cert?

IE11 on Windows 7/8 needed it because none of the cipher suites recommended by Mozilla would work otherwise. As a bonus: All modern browsers prefer ECDA over RSA and profit from it as well. It’s smaller and faster.

3 Likes

I see, there are more details here

2 Likes

Is there something up with the replace statement here? I tested it as written, but looking inside the container at /etc/runit/1.d/letsencrypt a line break appears as follows:

--keylength
 $1 -w /var/www/discourse/public

Ok looks as though the to: line needs to be:

to: "-d www.main-domain.com -d second-domain.com -d www.second-domain.com -d other-domain.com -d www.other-domain.com --keylength"

Although inspecting the certificate it still doesn’t seem to correctly install.

Do the acme.sh statements also need updating to include the domains?

@gerhard I haven’t had any more time to dig through this and figure out what else was broken, but I’ve just heard from someone else who hasn’t been able to get additional sites working with yourfix. Any thoughts?

This one case doesn’t seem to be disrupted, multiple domains to the default site, but multisite isn’t functioning at all.

2 Likes

I updated the OP and verified that it works in a multisite setup. Also, I pushed a fix for the web.letsencrypt.ssl.template.yml template.

6 Likes

Thanks for that @gerhard as it this was definitely broken for me for a while before your changes and now works great :+1:t2::tada:

1 Like

How can I reissue the certificate?
I want to add another domain.

Is it enough to just add -d another.domain.com and ./launcher rebuild app?

Yes, it should work. Give it a try.

Does it detect changes somehow or just reissues on every rebuild? (if the latter, I heard there is some rate limit by letsencrypt)

Thanks for instructions! It helps a lot!
There is useful service https://check-your-website.server-daten.de to check SSL, Redirects and other server settings!

It shows me that old Safari version doesn’t works

Safari 6 / iOS 6.0.1 Server sent fatal alert: handshake_failure
Safari 7 / iOS 7.1 R Server sent fatal alert: handshake_failure
Safari 7 / OS X 10.9 R Server sent fatal alert: handshake_failure
Safari 8 / iOS 8.4 R Server sent fatal alert: handshake_failure
Safari 8 / OS X 10.10 R Server sent fatal alert: handshake_failure

and it advice me to do following (how to do it?)

Wrong redirect one domain http to other domain http. First redirect to https without changing the domain, so no new dns query is required. So the server can send the HSTS header. That’s fundamental using HSTS (Http Strict Transport Security). First step: Add correct redirects http ⇒ https. Perhaps in your port 80 vHost something like “RewriteEngine on” + “RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]” (two rows, without the "). Don’t add this in your port 443 vHost, that would create a loop. Then recheck your domain, should be Grade C. There is the rule to select one https version as preferred version.