Topic 1 Posts

letsencrypt

Let’s Encrypt certificate for different domains in different folders

Lets-Encrypt

If you're struggling setting up Let's Encrypt on some custom server setup of yours - look no more.

When it comes to tech I'm the kind of guy who likes something to be just the way I want it. Of course I might stop with some intermediate decision, but it will bug me until in days or months I still do it just the way I see it.

I have a home server running few VMs with few services and websites on them. Recently in order to simplify my setup that grew over the last few years I started consolidating all the domains I have been using and moving them onto the subdomains of one of them.

I like having SSL everywhere I can. Either it's the lock icon in the address bar what makes it special, or just the basics of Internet security I try being part of. In any case, if you're hosting any kind of web service yourself, not really depending on your setup you can get SSL for free from a trusted Certificate Authority like Let's Encrypt. And with the help of CertBot it's really easy. Unless you're like me and don't look for the easy way πŸ™‚

There are many 1st and 3rd party manuals online on how to install Let's Encrypt or a SSL certificate from another issuer. The problem is that they are usually written for people who has their domain in question handled by Apache on the 80-th port. Which probably matches 95% of the use cases, but not mine. Except using not the standard 80 port I run multiple domains and subdomains on one server in multiple server blocks and configurations.

I was getting problems with using regular CertBot's commands for a Nginx+Ubuntu 16.04 setup. I didn't need the bot to setup my configurations since I did that myself, so I used
sudo certbot --nginx certonly
or even
sudo certbot certonly
But that didn't help, I was getting 404 errors on the ACME challenge. I thought my custom port was to blame as probably CertBot is setup to work only with the 80-th port so it couldn't find needed files there since I am using another port. As it turned out the port wasn't to blame.

The real issue was that CertBot was looking for files in a wrong folder on my VM's drive. Turns out if you don't specify it explicitly, the bot looks for the files in predefined paths, which in my case also were custom πŸ™‚

That's where a handy --webroot option comes in:
certbot certonly --webroot -w /var/www/example.com/test/ -d test.example.com

And that's how I got a shiny lock icon on one of my new subdomains.

For more info on the --webroot (and other) options you can read in the official Certbot user guide.