An example based on an apache server running ubuntu 18.04.
For Name-based virtual hosting
With name-based virtual hosting, the server relies on the client to report the hostname as part of the HTTP headers. Using this technique, many different hosts can share the same IP address.
Configure your DNS server to map each hostname to the correct IP address and then configure the Apache HTTP Server to recognize the different hostnames.
One way to implement SSL (TLS) certificates for named based virtual hosting is to use what is sometimes called multi-domain SAN (subject-alternative-name.).
example SAN site
you request multiple domains for the same certificate
certbot -d site1 -d site2.com -d site3.com -d site4.com -d site5.com -d site6.com …..
The following example show a way to request one certificate per domain ‘set’ which should make revoking and tracking certificates easier.
An example of Named Base Virtual Hosting domains
Our example is based on DNS entries where there are 2 DNS records for each “domain”
The www version and the non www version
Example of a ‘set’ of www and non www domains
An example of Domains ‘sets’ pointing to the same IP address
? What how many domains have you created SSL certificates for and pointed towards the sanem IP address?
Planning for the potential for up to 600 sites pointing to the same IP.
The current setup also supports A records pointing to same ip for both the www version and the non www version
The Following examples are for folks with Shell access and root or sudo access and are for apache 2.4 on Ubuntu 18.4
Install certbot on you server and then
1) create an account
certbot register -m email@example.com,firstname.lastname@example.org –agree-tos
Notes on create an account
manage your account with Let’s Encrypt:
register Create a Let’s Encrypt ACME account
unregister Deactivate a Let’s Encrypt ACME account
update_account Update a Let’s Encrypt ACME account
–agree-tos Agree to the ACME server’s Subscriber Agreement
-m EMAIL Email address for important account notifications
Our CPS and Subscriber Agreement indicate that the Subscriber is whoever holds the private key for a certificate. For hosting providers, that’s the provider, not the provider’s customer. If you’re writing software that people deploy themselves, that’s whoever is deploying the software.
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
2) Backup letsencrypt
Once you create an account, set something up makes a secure backup of everything under
/etc/letsencrypt every time you issue the certbot or other certificate managing command
3) Create One Virtual Host config file per certificate (port 80).
Create a Virtual Hosts file for a ‘set’ of www and non www domains
- A) in directory /etc/apache2/sites-enabled/
Create a ‘vhost file for each ‘set’
(take the default file in the directory and rename it for whatever naming convention for you certificates you want. I am using the non www version of the domain for the name of the conf file (when I request the certificate, the first domain I pass in will be the non www version. The certificate file and the virtual hosts file should then share something in common.
Virtual Host file
Certificate Path: /etc/letsencrypt/live/pbacloudb2019.com/fullchain.pem
Examples file names
important entries different from the default
I shutdown the Apache server when I place the Virtual Hosts File in the etc/apache2/sites-enabled directory. Then I start up apache so that it will recognize the new virtual Hosts. You keep the apache server running while you are requesting certificates.
4) Request Certificates, one per virtual host file
a) certbot will edit apache configuration so back it up
I just backup the *.conf files from /etc/apache/
b) stop apache (or webserver) server
c) try a –dry-run
This entry checks to see if something are in order before requesting the certificate.
certbot certonly –apache –dry-run -d pbaclouda2019.com -d http://www.pbaclouda2019.com
d) request the certificate
certbot –apache -d pbaclouda2019.com -d http://www.pbaclouda2019.com
5) first time considerations
It will ask you
: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
6) Example files after requesting a certificate
You should see the following in your apache virtual host file
- A) Virtual Host file like etc/apache2/sites-enabled/pbacloudb2019.com.conf
In our example should have the following entries
- b) issue the command: certbot certificates
for Certificate pbaclouda2019.com you should see
7) Getting help in the forums
SNI is a web server feature that allows multiple certificates per ip address
http-01 Challenge is an easy file based way cetbot uses to identify and authenticate you server
If the system can write files to the server you are managing for the domain you are requesting, things are good to go. Note, there is a thing called ‘rate limiting’. You can only request 100 certificates per day
Helpful Links and Commands
dig is a linux command line utility that shows DNS information
Show the A records for a domain
dig http://www.pbacloudb2019-doctortest.com +short
A site with a lot of options for checking SSL and DAN information
show my certificates certbot certificates
The Maximum sites per cert is 100 (less is better).
The Number of URLs has to be Less than Maximum – urls_per_cert (100 max , can be as low as 25)
Is there a maximum Number of Certs per_ip address?
Do you know of any SNI constraints and requirements?
certs_per_ip X urls_per_cert