multi domain SAN SSL symlink directories ?

[centminmod]

I successfully created a multi domain SAN SSL with webroot authentication at https://community.centminmod.com/posts/20018/ for le8.http2ssl.xyz and le9.http2ssl.xyz domains.

However, the only resulting live directory created is for /etc/letsencrypt/live/le8.http2ssl.xyz. If folks are automating the process, they are likely to anchor a variable to domain name so I would be looking for both

/etc/letsencrypt/live/le8.http2ssl.xyz
/etc/letsencrypt/live/le9.http2ssl.xyz - however this is missing

Suggestion

The suggestion is to create a symlink for other SAN domain name folders so /etc/letsencrypt/live/le9.http2ssl.xyz points to /etc/letsencrypt/live/le8.http2ssl.xyz

So for automation, folks can still anchor the variable for domain name to respective domain's vhost files

i.e.

• vhostname=le8.http2ssl.xyz
• vhostname=le9.http2ssl.xyz

So can do stuff like

ssl_certificate      /etc/letsencrypt/live/${vhostname}/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/${vhostname}/privkey.pem;

[centminmod]

@bmw @jsha @pde any input would be great :)

[bmw]

Unfortunately, I'm not sure if we'll ever make the suggested change here. Doing so would require some major rearchitecture of the client and would take some time. Furthermore, it also is likely to make things more complicated for us. For instance, when the certificate is renewed, we'd have to make sure that the symlinks for every domain in the certificate are updated. This leads to more problems like properly cleaning up the mess if we crash before updating all symlinks.

With that said, I can explain to you how the name is chosen as well as offer a potential solution to your problem. As you may already be aware, all domains that are input to a single run of letsencrypt are put into one certificate. The name of directory in /etc/letsencrypt/live is the first name you specify, whether it be on the command line or at the prompt given by LE if you do not specify the names on the command line. This is not necessarily true when using plugins like Apache which try to detect the domain names for you, but I don't believe this applies to you.

If the above information does not help, another thing you do is to run LE once for each domain. While this is less efficient, the directory is created in /etc/letsencrypt/live as you expect and may make things easier for automation purposes.

[centminmod]

thanks @bmw for the explanation and info

i guess i can see about scripting my automation around the 1st domain listed in a multi-domain SAN ssl run via webroot authentication :)

[SamMousa]

I'm confused how this would be a big issue in all but the biggest environment.
Wouldn't it be simple to just fully remove the live directory and rebuild it when given the appropiate flag?
By using symlinking for each domain name you get a standard that works regardless of issuing strategy. Why would my webserver care if I have a 1 certificate per domain or 1 certificate for all domains, as long as it knows where to find it.

This simple batch script will generate symlinks for all SANs and could be used to create a new "live" directory with symlinks. Note that you could even decide to implement it the exact same way (keeping the live dir and just creating another directory with symlinks for all domain names).

#!/bin/bash

base=/etc/letsencrypt/live;
for d in $base/* ; do
echo ------ LINK $d TO:
for domain in `openssl x509 -in $d/cert.pem -text | grep DNS | tr -d "DNS:" | tr "," "\n" | sed -e's/^ *//'`
do
   echo $domain;
   ln -s $d $domain;
done;

done

Disclaimer: I'm no bash scripting genius, so this can undoubtedly be done in a better way.
Disclaimer2: Since this is for illustration only, symlinks are created in the current directory.

[h0l0gram]

Hi all
I like to have a folder for each domain/subdomain, similar to what letsencrypt is doing with the "live" folder. This makes configuring apache etc. much easier.

I wrote a bash script letslink.sh to create symlink for each domain in a certificate:
https://github.com/h0l0gram/letsencrypt-utils
Let me know if that solves your issue as well.

Merry Christmas

[pde]

One problem with doing this by default is that letsencrypt currently supports multiple cert lineages that cover a given domain name (it isn't encouraged, but it is supported with --duplicate for instance, and some people have reasons to do it).

Which isn't to say that this couldn't be done, it would just be quite a lot of reengineering work for a small payoff. Scripts like @h0l0gram's are a good workaround for folks who want this.

[schoen]

I think in practice we've decided not to do this as a built-in feature. We can revisit it if we undertake a broad revision to certificate management in the future (and we could also include in our documentation a link to scripts that do this if someone wants to contribute them).