Why I see all Vhost domain names in SSL certificate, what did I do wrong?

user174174

1/20/24, 12:45 PM

I have a VPS that hosts 2 websites, and I have 2 domains, domain1.com and domain2.com

Server Nginx running on Ubuntu 20.04

I installed certbot and nginx according to their instructions and CA is Letsencrypt.

The problem is that when I visit https://domainX.com and click on the lock icon to view the cert (in Firefox) and select 'More information' I can see the other website's domain names either, like:

Subject Alt Names

DNS Name domain1.com

DNS Name www.domain1.com

DNS Name domain2.com

DNS Name www.domain2.com

How can I prevent this to be shown? Is this a DNS record problem or is it because certbot suggested these 4 names and I just wanted to get a cert for all 4 during installation?
Now that the cert has issued, whats the proper way to get a *.domainX certificate for each one and they don't show in one another?

Thank you.

121

1 + 0

nginx

ssl-certificate

lets-encrypt

certbot

Score:1

Server

Gerald Schneider

1/20/24, 12:49 PM

you got the certificates all in one. Most probably your command was:

certbot -d domain1.com -d www.domain1.com -d domain2.com -d www.domain2.com

That way you get one certificate that contains all domains as SANS.

To prevent this get certificates individually:

certbot -d domain1.com -d www.domain1.com 
certbot -d domain2.com -d www.domain2.com

(assuming it is okay to have www and non-www in the same certificate).

To change this now it should suffice to run the second commands with the --force-renewal parameter.

If it doesn't work you can just use certbot delete to delete them and then create them again.

+ 2

user174174

1/20/24, 1:25 PM

Actually certbot automatically listed: 1)dom1 2)www.dom1 3)dom2 4)www.dom2 [enter for all] so I did that (no difference here) but running the commands in your answer will create one cert per domain if I'm not wrong. How can I use the wildcard like *.dom1 and *.dom2? and is it preferred/useful to have individual ones for each subdomain? i.e. does it matter to have a separate cert for mail.domain / ftp.domain / www.domain? It'll be great if you update the answer.

Gerald Schneider

1/20/24, 1:27 PM

The given commands will create two certificates containing two SANS (with and without www). You can create wildcard certificates with Let's Encrypt, but only with validation via DNS records which must be supported by your DNS provider. Read the documentation.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why I see all Vhost domain names in SSL certificate, what did I do wrong?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.