Using acme.sh for installing and renewing a single multidomain certificate

Peregring-lk

10/9/22, 6:58 PM

#!/bin/bash

sudo /.../my-letsencrypt-clone/letsencrypt-auto certonly -v -t --webroot \
   -w /var/www/web1/ -d www.domain1.com -d domain1.com -d subdomain.domain1.com \
   -w /var/www/web2/ -d web2.com \
   -w /var/www/web3/ -d www.web3.com -d web3.com

# A couple of extra commands to move the renewed cert (in `/etc/letsencrypt/live/`) to 
# /etc/ssl/private/mycertfolder

sudo service apache2 restart
sudo service postfix restart
sudo doveadm reload

This script above is what I have been using for the past few years to renew my single multidomain cert, but now, because of deprecation issues (my server is old and upgrading it is not an option) I need to use acme.sh without changing my current setup. I have some doubts though. My best guess for issuing and installing the cert with acme.sh is the following couple of commands (expecting that, without doing anything else, the acme.sh cert-renewal cronjob will do the right thing after that):

$ acme.sh  --issue  \
-d www.domain1.com -d domain1.com -d subdomain.domain1.com -w /var/www/web1/ \
-d web2.com -w /var/www/web2/ \
-d www.web3.com -d web3.com -w /var/www/web3/

$ acme.sh --install-cert \
-d www.domain1.com -d domain1.com -d subdomain.domain1.com \
-d web2.com \
-d www.web3.com -d web3.com \
--cert-file      /etc/ssl/private/mycertfolder/cert.pem  \
--key-file       /etc/ssl/private/mycertfolder/key.pem  \
--fullchain-file /etc/ssl/private/mycertfolder/fullchain.pem \
--reloadcmd     "service apache2 restart; service postfix restart; doveadm reload"

But I'm not sure by the documentation if that command will issue a single certificate for all of the domains, or three certificates, one for each -w option. It's not strictly specified in the docs either but I guess each -w specifies the validation method (webroot) for all of the -ds that appears before it and after the last -w, similar to how letsencrypt works.

My second command has been written under the ASSUMPTION that the first command will issue a single certificate for all of the domains, but I'm not sure if I have to actually write all of the domains again if there's only one cert involved or if there are more things to take into account.

0 + 2

lets-encrypt

Ginnungagap

10/9/22, 11:10 PM

Just use the staging API from Let's Encrypt and test it out yourself. You're running an exotic setup on an obsolete infrastructure, who better to test that it works as you expect?

Peregring-lk

10/10/22, 7:30 AM

@Ginnungagap Ok thank you, I'll try.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Using acme.sh for installing and renewing a single multidomain certificate

TH: ใช้ acme.sh เพื่อติดตั้งและต่ออายุใบรับรองหลายโดเมนเดียว

RO: Utilizarea acme.sh pentru instalarea și reînnoirea unui singur certificat multidomeniu

RU: Использование acme.sh для установки и обновления одного мультидоменного сертификата

VI: Sử dụng acme.sh để cài đặt và gia hạn một chứng chỉ đa miền

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.