generate multiple certs for single nginx container

[sandrodz]

is it possible to generate multiple certificates like:

• VIRTUAL_HOST: domain1.com,domain2.com,domain3.com
• LETSENCRYPT_HOST: domain1.com,domain2.com,domain3.com

I've single nginx server behind nginx-proxy. I don't want to have separate nginx server for each domain.

this companion doesn't generate ssl for all mentioned domains: domain1.com,domain2.com,domain3.com

[JrCs]

Yes it must work as you describe.
If not can you post the logs ?

[sandrodz]

Hi, sorry it took me a while to play with all possible combinations, hence the belated reply.

But I don't seem to understand the logic. Sometimes specific ssl is generated for domain, sometimes same one is used for several domains... I cannot really comprehend the logic behind these.

[JrCs]

All seems ok except wiseadvices.com. Perhaps you create it before grouping all domains. So remove wiseadvices.com directory and relaunch the companion.

[sandrodz]

so:

adjara -> adjara
cdn -> adjara
demos -> adjara
njord -> njord
shop -> shop
wise -> wise

both shop and njord are in the group too, but they have their own certs?

and is it possible to have main one not adjara but something else instead?

[sandrodz]

I deleted old certs dir and let it recreate. and I see this:

I don't see how it is normal to group unrelated domains. grouping sub-domains make sense, but this is not what I see.

what worries me is this though:

can I show a diff domain there? Like we are de's as common name, instead of adjara.

[JrCs]

The "main" domain is the first domain set in LETSENCRYPT_HOST variable

[sandrodz]

yeah I got that :) also symbolic links make sense. But why is that domain displayed in ssl overview? common name should be we are.de not adjara right?

[JrCs]

Because it's the "main" domain. Open certificat details to see other domain that are in the certificat:

[sandrodz]

we are de is the first in LETSENCRYPT_HOST variable, you can also see that symbolic links point to we are de not adjara. So how come adjara is the main?

[sandrodz]

[JrCs]

Remove all certs and restart companion.

[sandrodz]

result is same, could it be alphabetic?

[JrCs]

No, it's the first one i'm sure.
Try to declare one cert by one cert in LESTENCRYPT_HOST and see if it works

[sandrodz]

hang on 5mins I'll make a video

[JrCs]

You must see this message in the logs:

Creating/renewal $base_domain certificates...

Where $base_domain is your first host of LETSENCRYPT_HOST variable

[sandrodz]

Here you go, contains log messages also.

http://sendvid.com/x1s0eboq

[JrCs]

Sorry i can't acces to the video at the moment. Check if the message in the logs is right.

[sandrodz]

its correct

[JrCs]

So all certs must point to the weare.de.com directory ?

[sandrodz]

yes all of them point to weare.de.com dir like on screenshots.

problem is common name that certificate displays on all pages, which is adjaragroup.

this:

shouldn't it be we are de?

[JrCs]

Check that a new certificat has been created (check details in certificate about creation date).
You can try also to remove adjaragroup from LETSENCRYPT_HOST and in the certs directory and restart the companion. If a new certificat is created you must not see adjaragroup in the common name.

[JrCs]

It seems that simp_le create SAN with domain sort alphabetically. So the common name will be adjaragroup. But it's doesn't care because your certificat is valid for all alternate domains.

[sandrodz]

So your saying even if I remove adjara, I will get common name next in the alphabetic order that is cdn ?

[JrCs]

Yes i think.

[sandrodz]

Could this be an issue? https://community.letsencrypt.org/t/common-name-change-after-using-expand-flag/14174

[sandrodz]

after searching and reading everything this seems to be the root issue: certbot/certbot#2798

so since v 0.5 this bug was introduced in letsencrypt client. 0.6 version includes the fix.

At what version is your docker container?

[JrCs]

The companion container doesn't use the letsencrypt client but simp_le.
There seem an issue open for that: kuba/simp_le#72

[sandrodz]

I see, and there is PR that changes things: kuba/simp_le#105

[sandrodz]

btw, my workaround: I added subdomain abc.main.domain to get it to be the common name.

[JrCs]

Good !