How to issue Let's Encrypt certificates for multiple websites (Nginx and Apache)

Last updated: September 15th 2019

Issuing Let's Encrypt certificates for multiple websites in a shared server / virtual hosting environment

Let's Encrypt is a free and open-source authority run by Internet Security Research Group that offers free SSL certificates for your domain. Let's Encrypt SSL certificates is absolutely free and also used for production use as well. In order to install Let’s Encrypt free SSL, you will need a valid domain name pointed with your server IP and it will issue a certificate for you.

In our previous tutorials, we learned How to Configure Nginx to serve Multiple Websites and How to Configure Apache to serve Multiple Websites

Now, we will learn how to configure Certbot to issue Let's Encrypt certificates for all your websites.

Webdock does not recommend you use our servers for shared hosting as it can cause a range of issues and stops you from using some of our management tools, namely our easy Let's Encrypt / Certbot management for SSL Certificates. Click here to read why we think you should really use a single VPS for each website / app.

Please note: Doing these actions may bring down your server. Do not do this on a live site without knowing the potential consequences.

Prerequisites

  • A fresh Webdock cloud Ubuntu instance with a LAMP/LEMP stack installed.
  • Two valid domain names are pointed with your VPS IP address. In this tutorial, we will use web1.webdock.io and web2.webdock.io.
  • You have shell (SSH) access to your VPS.

Let's Encrypt Certificates and Nginx

In this section we will learn how to configure certbot to issue Let's Encrypt certificates for your websites web1.webdock.io and web2.webdock.io. We will also learn how to configure cron job to renew Let's Encrypt certificates automatically.

Warning: Please make sure you have not set the domains you are trying to generate certificates for in the Server Identity tool in Webdock as this will write the domain names to the standard webdock config at /etc/nginx/sites-enabled/webdock and confuse Certbot. If you need reverse DNS and hostname set, then after using Server Identity in Webdock, make sure you remove the domain names you are creating certificates for below from the default webdock nginx config file.

Configure Certbot to issue Let's Encrypt certificates for the first website

You start with generating a certificate for one of your websites, in this example web1.webdock.io.

Certbot is a simple and an easy to use tool that helps you to download and install Let's Encrypt free SSL for your domain automatically and comes already installed on Webdock stacks.

You can run the following command to install Let's Encrypt free SSL for website web1.webdock.io:

certbot --nginx -d web1.webdock.io

If everything goes fine, you should see the following output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for web1.webdock.io
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/web1.webdock.io.conf

Next, certbot will ask to choose whether or not to redirect HTTP traffic to HTTPS. Option 1 will only download the SSL certificates and does not change your Nginx configuration file. Option 2 will download the SSL certificates and configure Nginx to use this certificate. Select option 2 and hit Enter to continue:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Once the Let's Encrypt certificates have been installed successfully, you should see the following output:

Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/web1.webdock.io.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://web1.webdock.io

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=web1.webdock.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web1.webdock.io/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web1.webdock.io/privkey.pem
   Your cert will expire on 2019-11-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Repeat the same process for your other websites

You would now proceed to repeat the process for all your other websites, exchanging the web root and domain names as is appropriate for your sites.

Once you have finished, you can test your SSL certificates by visiting the URL https://www.ssllabs.com/ssltest/analyze.html?d=web1.webdock.io.

Automate Let's Encrypt Certificate Renewal

Let’s Encrypt certificates are valid only for 90 days. So, it is recommended to configure cron job to renew Let's Encrypt Certificate automatically.

You can setup cron job by editing crontab file:

crontab -e

Add the following line:

10 11 * * *   root /usr/bin/certbot renew >/dev/null 2>&1

Save and close the file, when you are finished.

This cron job will run daily at 11:10 AM, check the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

You can also renew the certificates manually with the following command.

certbot renew

If you want to just do a test to see whether certificates are being renewed correctly, you can issue the command with the --dry-run option.

certbot renew --dry-run

Let's Encrypt certificates and  Apache

In this section we will learn how to configure certbot to issue Let's Encrypt certificates for your websites web1.webdock.io and web2.webdock.io. We will also learn how to configure cron job to renew Let's Encrypt certificates automatically.

Configure Certbot to issue Let's Encrypt certificates for the first website

You start with generating a certificate for one of your websites, in this example web1.webdock.io.

Certbot is a simple and an easy to use tool that helps you to download and install Let's Encrypt free SSL for your domain automatically.

You can run the following command to install Let's Encrypt free SSL for website web1.webdock.io:

certbot --apache -d web1.webdock.io

You should see the following output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for web1.webdock.io
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/web1.webdock.io-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/web1.webdock.io-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/web1.webdock.io-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Choose the appropriate option and hit Enter. You should get the following output:

Redirecting vhost in /etc/apache2/sites-enabled/web1.webdock.io.conf to ssl vhost in /etc/apache2/sites-available/web1.webdock.io-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://web1.webdock.io

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=web1.webdock.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web1.webdock.io/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web1.webdock.io/privkey.pem
   Your cert will expire on 2019-11-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Repeat the same process for your other websites

You would now proceed to repeat the process for all your other websites, exchanging the web root and domain names as is appropriate for your sites.

Once you have finished, you can test your SSL certificates by visiting the URL https://www.ssllabs.com/ssltest/analyze.html?d=web1.webdock.io.

Automate Let's Encrypt Certificate Renewal

Let’s Encrypt certificates are valid only for 90 days. So, it is recommended to configure cron job to renew Let's Encrypt Certificate automatically.

You can setup cron job by editing crontab file:

crontab -e

Add the following line:

10 11 * * *   root /usr/bin/certbot renew >/dev/null 2>&1

Save and close the file, when you are finished.

This cron job will run daily at 11:10 AM, check the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

You can also renew the certificates manually with the following command.

If you want to just do a test to see whether certificates are being renewed correctly, you can issue the command with the --dry-run option.

certbot renew --dry-run