Tutorial
How to Set Up Let’s Encrypt Certificates for Multiple Apache Virtual Hosts on Ubuntu 14.04
Introduction
SSL certificates are used within web servers to encrypt the traffic between server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.
This tutorial will show you how to set up TLS/SSL certificates from Let’s Encrypt for securing multiple virtual hosts on Apache, within an Ubuntu 14.04 server.
We will also cover how to automate the certificate renewal process using a cron job.
##Prerequisites
In order to complete this guide, you will need:
- An Ubuntu 14.04 server with a non-root sudo user, which you can set up by following our Initial Server Setup guide
- A functional Apache web server installation hosting multiple virtual hosts
It is important that each virtual host is set up in its own separate configuration file, and can be accessed externally via browser. For a detailed guide on how to properly set up Apache virtual hosts on Ubuntu, follow this link.
For the purpose of this guide, we will install Let’s Encrypt certificates for the domains example.com and test.com. These will be referenced throughout the guide, but you should substitute them with your own domains while following along.
When you are ready to move on, log into your server using your sudo account.
##Step 1 — Download the Let’s Encrypt Client
The first step to using Let’s Encrypt to obtain an SSL certificate is to install the certbot software on your server. The Certbot developers maintain their own Ubuntu software repository with up-to-date versions of the software. Because Certbot is in such active development it’s worth using this repository to install a newer Certbot than provided by Ubuntu.
First, add the repository:
You’ll need to press ENTER to accept. Afterwards, update the package list to pick up the new repository’s package information:
And finally, install Certbot from the new repository with apt-get:
The certbot Let’s Encrypt client is now ready to use.
##Step 2 — Set Up the Certificates
Generating an SSL Certificate for Apache using the certbot Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
Although it is possible to bundle multiple Let’s Encrypt certificates together, even when the domain names are different, it is recommended that you create separate certificates for unique domain names. As a general rule of thumb, only subdomains of a particular domain should be bundled together.
###Generating the first SSL certificate
We will start by setting up the SSL certificate for the first virtual host, example.com.
We will execute the interactive installation and obtain a bundled certificate that is valid for a domain and a subdomain, namely example.com as base domain and www.example.com as subdomain. You can include any additional subdomains that are currently configured in your Apache setup as either virtual hosts or aliases.
Run the certbot command with:
Notice that the first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases.
For this example, the base domain will be example.com.
After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http and https access or forcing all requests to redirect to https.
When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live. You can verify the status of your SSL certificate with the following link (don’t forget to replace example.com with your base domain):
https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest
You should now be able to access your website using a https prefix.
Generating the second SSL certificate
Generating certificates for your additional virtual hosts should follow the same process described in the previous step.
Repeat the certificate install command, now with the second virtual host you want to secure with Let’s Encrypt:
For this example, the base domain will be test.com.
Again, you can verify the status of your SSL certificate with the following link (don’t forget to replace test.com with your base domain):
https://www.ssllabs.com/ssltest/analyze.html?d=test.com&latest
If you want to generate certificates for additional virtual hosts, simply repeat the process, and don’t forget to use the bare top-level domain as your base domain.
##Step 3 — Set Up Auto-Renewal
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. We’ll need to set up a regularly run command to check for expiring certificates and renew them automatically.
To run the renewal check daily, we will use cron, a standard system service for running periodic jobs. We tell cron what to do by opening and editing a file called a crontab.
Your text editor will open the default crontab which is a text file with some help text in it. Paste in the following line at the end of the file, then save and close it:
. . .
15 3 * * * /usr/bin/certbot renew --quiet
The 15 3 * * * part of this line means “run the following command at 3:15 am, every day”. You may choose any time.
The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. --quiet tells Certbot not to output information nor wait for user input.
cron will now run this command daily. Because we installed our certificates using the --apache plugin, Apache will also be reloaded to ensure the new certificates are used.
For more information on how to create and schedule cron jobs, you can check our How to Use Cron to Automate Tasks in a VPS guide.
##Conclusion
In this guide, we saw how to install free SSL certificates from Let’s Encrypt in order to secure multiple virtual hosts on Apache. We recommend that you check the official Let’s Encrypt blog for important updates from time to time.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author(s)
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
Cool! One Question… I have 3 websites under a single domain name, i.e. websiteA.mywebsite.com, websiteB.mywebsite.com and websiteC.mywebsite.com. I have a SSL cert on one of the (websitesWebsiteA.mywebsite.com) already. Will I need to dump that to do the other two?
If you run the setup above again but add the extra domains along with the current domain like so:
sudo certbot --apache -d websiteA.mywebsite.com -d websiteB.mywebsite.com -d websiteC.mywebsite.comIt will ask you to expand
(E)the certificate to the other domains.I keep getting an error:
Detail: Failed to connect to host for DVSNI challenge
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
However, my DNS is setup that way.
Any thoughts?
Peter
I had this issue because when I first setup my droplet I followed these instructions to setup a firewall with ufw, which meant port 443 (used for HTTPS) was blocked.
You can verify this by running
In my case, every port was blocked except for 80 and 22, like that tutorial suggests. So to open up port 443, just run:
The latest version of Letsencrypt seems to have an issue creating a virtual host file for you. If you are affected by this, create an SSL vhost manually first and then run the
letsencrypt-autocommand again.Is there going to be a version of this tutorial for encrypting multiple domains with nginx instead of apache?
Really good !
I have a question. I used this command to set up the certificate ./letsencrypt-auto --apache -d example.com -d www.example.com and all worked well.
I want set up the autorenewal, have to use this
30 2 * * 1 /usr/local/sbin/le-renew example.com >> /var/log/le-renew.log 30 2 * * 1 /usr/local/sbin/le-renew www.example.com >> /var/log/le-renew.log
or this
30 2 * * 1 /usr/local/sbin/le-renew example.com www.example.com >> /var/log/le-renew.log
THX
Hello @gbrozzi ! Since you created a bundled certificate that is valid for both
example.comandwww.example.com, you only need one cron entry. The way this auto-renewal script works you won’t need to pass all the extra domains bundled together, you only need to provide the base domain (first in the list). You should add a line like this to your cron:That will be enough for renewing
example.comandwww.example.comsince they were bundled together. Hope that helps!Thank you very much for this article! I have been depressed for how to make multiple domains for a period of time. :D
Can I do this also on Centos 7 ? Would be awesome
I created a very simple shell script to ensure the Let’s Encrypt repository is always up-to-date:
mhaddy@ubuntu-tor1:~/bash$ cat gitupdates.sh #!/bin/sh #where’s the repository that needs updating? cd “/opt/letsencrypt”
sudo git pull
Then made this run every Monday @ 2:15 AM:
#update git let’s encrypt before above update SSL cert, every mon @ 2:15 AM 15 2 * * 1 /home/mhaddy/bash/gitupdates.sh >> /var/log/gitupdates.log
Hi, that’s great for me! https works on mysite.com, but all other page I got ‘not found’. Please, what I need to work to get whole site below the ssl? thanks a lot!
I set up my domains using Server Pilot. When I run the commands in this tutorial, everything works up to “certbot-auto --apache -d test.com -d www.test.com”, after which I get an error message that an Apache config file isn’t in the correct place. Is there a work-around for this? Thanks.
For example, I already generated 1st certificate for mypet.com and cat.mypet.com
If in the future, I want to add bird.mypet.com, do I need to create new certificate for the bare and all existing and new subdomain, or only bare and new subdomain?
Great tutorial! I have a question…
I installed a multidomain certificate on my digitalocean server and chose to “force all requests to redirect to SSL”. However, this is causing a problem with my Wordpress and the easiest solution would be to remove the forces SSL.
How can I “un-force” all pages from redirecting to SSL? this would be for the virtualhosts.
Thanks! Mel
Howdy, any help with the following error much appreciated
$ sudo certbot-auto --apache -d mydomain.xyz -d box.mydomain.xyz -d www.mydomain.xyz [sudo] password for : Upgrading certbot-auto 0.11.0 to 0.11.1… Replacing certbot-auto… Creating virtual environment… Installing Python packages… Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Failed to find apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin The apache plugin is not working; there may be problems with your existing configuration. The error was: NoInstallationError(‘Cannot find Apache control command apache2ctl’,)
Hi David,
I have the same problem as well any luck?
Kind regards, Nicholas
I just went through the process of generating a single Let’s Encrypt certificate for multiple subdomains. There were some minor challenges that I encountered and resolved. I posted a short article in the link below explaining the leasons learned I gained when installing Let’s Encrypt digital certificates on my Apache web server which provides HTTP and HTTPS access to multiple subdomains.
https://www.hueyise.com/index.php/letsencrypt
My most important “lessons learned” is that you need to create a VirtualHost for the HTTP access AND a VirtualHost for each subdomain accessible via HTTPS. IMPORTANT: Each VirtualHost definition must be specified in a single configuration file. The Let’s Encrypt certbot will not operate correctly if multiple VirtualHosts are defined within a single configuration file. I defined three (3) VirtualHosts in three (3) different configuration files below. For the image in https://www.hueyise.com/index.php/letsencrypt, the dummy.conf file serves no functional purpose within Apache (i.e., it will not cause an unnecessary 999 listening port), but it is absolutely necessary for digital certificates to be successfully generated by certbot.
This comment has been deleted
I am getting the following error after executing :
$ certbot-auto --apache -d example.com -d www.example.com
Failed to find apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin The apache plugin is not working; there may be problems with your existing configuration. The error was: NoInstallationError(‘Cannot find Apache control command apache2ctl’,)
Does anyone else gets this or did I do something wrong?
Great tutorial! I’m trying to get SSL certs for my subdomain on a WordPress multi-site. When I go through the steps I get to this part and run into trouble with the subdomain:
We were unable to find a vhost with a ServerName or Address of beta.example.com. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported)
1: example.com.conf | Multiple Names | | Enabled 2: 000-default.conf | | | Enabled 3: default-ssl.conf | | HTTPS |
Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1 Waiting for verification… Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/example.com-le-ssl.conf Deploying Certificate for example.com to VirtualHost /etc/apache2/sites-available/example.com-le-ssl.conf Enabling available site: /etc/apache2/sites-available/example.com-le-ssl.conf Deploying Certificate for www.example.com to VirtualHost /etc/apache2/sites-available/example.com-le-ssl.conf
We were unable to find a vhost with a ServerName or Address of beta.example.com. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported)
1: example.com.conf | Multiple Names | | Enabled 2: 000-default.conf | | | Enabled 3: default-ssl.conf | | HTTPS | 4: example.com-le-ssl.conf | Multiple Names | HTTPS | Enabled
Select the appropriate number [1-4] then [enter] (press ‘c’ to cancel): 1 The selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration. VirtualHost not able to be selected.
Did I configure my DNS wrong or do I need to create a new vhost just for the multisite subdomain?
Nevermind, I was having issues because I was using the tutorial https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-wordpress-sites-using-multisite that explains multsite by subdirectory rather than subdomain.
Hello, I have a system that use simple passwords but i’m using complex passwords on it. After install the certificate "with the second choose to redirect all traffic to HTTPS "the system don’t let me login with any account Anyway to allow http:// access again to be able to log in and change admin password then redirect the traffic again?
I solved it by: 1- go to /etc/apache2/sites-available 2- I found two subdomains subdomain.domain.com I updated this one “not the -le-ssl.conf one” 3- hashed with # the below lines RewriteEngine on #RewriteCond %{SERVER_NAME} =mydomainname.com [OR] #RewriteCond %{SERVER_NAME} =subdmain.mydomainname.com #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] 4- Cleared the cache and cookies in my web browser. 5- Logged in and it works, but you’ll find some up normal activity, Don’t worry it’ll work again :)
thank you.
sudo certbot --apache -d example.com -d www.example.com I finished the SSL installation with this command.
Subsequently, what should I do if I add ‘subdomain.example.com’, which is a subdomain of example.com?
sudo certbot --apache -d example.com ? or sudo certbot --apache -d example.com -d www.example.com -d subdomain.example.com ?
For reference, My Site is WordPress Multi Site.
"We were unable to find a vhost with a ServerName or Address of " Why will it not let me install a second certificate?