Question

easy SSLCerificateFile question

Adding myDomain.net to an existing droplet which already has myDomain.com (apache web server, lamp-ubuntu-s) and certificate

creating myDomain.conf & myDomain-le-ssl.conf virtual hosts.

Do I only need one certificate for each droplet?

and do these look ok?

myDomain.net.conf

<VirtualHost *:80>
        ServerAdmin admin@myDomain.com
	ServerName myDomain.net
	ServerAlias www.myDomain.net
        DocumentRoot /var/www/myDomain.net/public_html

          <Directory /var/www/myDomain.net/public_html/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        <IfModule mod_dir.c>
            DirectoryIndex index.php index.pl index.cgi index.html index.xhtml index.htm
        </IfModule>

	RewriteEngine on
	RewriteCond %{SERVER_NAME} =myDomain.net
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

myDomain-le-ssl.net.conf

IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin admin@myDomain.com
	ServerName myDomain.net
	ServerAlias www.myDomain.net
        DocumentRoot /var/www/myDomain.net/public_html

        <Directory /var/www/myDomain.net/public_html/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        <IfModule mod_dir.c>
            DirectoryIndex index.php index.pl index.cgi index.html index.xhtml index.htm
        </IfModule>

        #ServerName myDomain.net
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/myDomain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/myDomain.com/privkey.pem
    </VirtualHost>
</IfModule>

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
April 15, 2024

Heya @fingers,

You’ll need to have separate SSL certificates for your Domains, even if they share the same App which they don’t but still wanted to make sure. You’ll still need a new SSL for each of your Domains.

As for the Apache configurations. They look good with the exception of

        #ServerName myDomain.net
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/myDomain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/myDomain.com/privkey.pem

as they call to the .com domain.

What you can try is for now to disable/rename the SSL/443 conf file and then try to use cerbot which can also automatically create the conf for you with the proper certificate file.

Bobby Iliev
Site Moderator
Site Moderator badge
April 15, 2024

Hi there!

Let’s break down your question and address the configuration issues:

The Main Question: Do you need separate certificates?

Yes, ideally you should have separate SSL certificates for each domain. While you can technically use a single certificate with multiple domains (using Subject Alternative Names), best practices suggest separate certificates for the following reasons:

  • Easier to manage, revoke, and renew individual certificates.
  • Reduces the risk of a single compromised certificate affecting multiple domains.
  • Gives you the ability to use different certificate authorities or encryption levels for different domains if needed.

Configuration Review:

Your configuration files (.conf) look good!

One thing that you should consider is using a tool like Certbot to obtain an SSL certificate specifically for myDomain.net. That way you don’t have to manually install your certificates or manually renew them:

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu

As a side note, every time you make a change to Apache, make sure to reload/restart it.

Hope that this helps!

Best,

Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.