3

I have 2500 public domains (like www.example.com, example.com, www.example.net, and example.net) running on a single IP-address using Apache VirtualHost.

I want to setup letsencrypt for all these domains. What is the recommended way of doing that? Are there automated tools that can do this?

The solution should be:

  • proven to work (not guesswork)
  • complete
  • work on a single IP

The active part of my <VirtualHost> section looks like this:

<VirtualHost *:80>
  # www.sub.example.com -> sub.example.com/html/                                                  
  RewriteCond ${lowercase:%{SERVER_NAME}} ^(www\.)?(.*)
  RewriteRule ^/(.*)$ /home/hotels/%2/html/$1
</VirtualHost>
Ole Tange
  • 33,591
  • 31
  • 102
  • 198
  • certbot+scripting – Rui F Ribeiro Feb 12 '18 at 19:35
  • @RuiFRibeiro I do not see certbot supporting mass virtual hosting on a single IP. Do you have a link for that? – Ole Tange Feb 12 '18 at 20:14
  • I said certbot *+scripting*. This seems to be a clue to one possible solution https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-14-04 – Rui F Ribeiro Feb 12 '18 at 20:16
  • 3
    It looks like you will run into rate limits (https://letsencrypt.org/docs/rate-limits/). The document mentions how to request a rate limit increase for specific situations (I have not checked thoroughly whether your case fits). – dhag Feb 12 '18 at 21:55

2 Answers2

2

First thing is you need Apache v2.2.12 or later and OpenSSL v0.9.8j or later to support multiple SSL certificates on a single IP address with SNI. Check your server and verify the version of Apache web server before proceeding. If your machine does not support these or later versions you will need to upgrade.

Digicert has a nice write up on Using Multiple SSL Certificates in Apache with One IP Address

As noted, you will need to create a separate virtual host for each domain. Each virtual host will has its own SSL certificate configuration. Lets Encrypt will allow you to create one SSL certificate for each domain using wildcards or multi server specification through certbot

Digital Ocean has a write-up on How to Set Up Let’s Encrypt Certificates which also includes installing the certbot on Ubuntu. If your server is not Ubuntu then get installation instructions from certbot. Additionally you may need Lets Encrypt Documentation

You create a SSL certificate for each domain through certbot using instructions like:

certbot --apache -d example.com -d www.example.com
certbot --apache -d example.net -d www.example.net

Notice each command is for a different domain but you can have multiple host names per domain.

In your apache configuration you create a virtual host for each domain 

NameVirtualHost *:443

<VirtualHost *:443>
 ServerName www.example.com
 ServerAlias example.com
 DocumentRoot /var/www/site
 SSLEngine on
 SSLCertificateFile /path/to/www_example_com.crt
 SSLCertificateKeyFile /path/to/www_example_com.key
 SSLCertificateChainFile /path/to/LetsEncrypt.ca
</VirtualHost>

<VirtualHost *:443>
 ServerName www.example.net
 ServerAlias example.net
 DocumentRoot /var/www/site2
 SSLEngine on
 SSLCertificateFile /path/to/www_example_net.crt
 SSLCertificateKeyFile /path/to/www_example_net.key
 SSLCertificateChainFile /path/to/LetsEncrypt.ca
</VirtualHost>

Depending on the type of certificate you receive and the version of Apache, you may have to specify the actual IP address <VirtualHost 192.168.1.3:443> rather than <VirtualHost *:443>

Leave the Port 80 Virtual Host, <VirtualHost *:80>, intact to support non-SSL inbound traffic. You have some work creating up to 2500 virtual hosts to support SSL. Test with one or two first before you dive in.

Do not forget to enable the Apache SSL module with 

a2enmod ssl
Stephen Fox
  • 33
  • 4
0

To avoid maintaining 2500 individual <VirtualHost>s look at https://github.com/varnish/hitch/blob/master/docs/vhosts.md

Put the certificates in /home/hotels/*/certs/:

./hitch --backend=localhost:80 \
--frontend=[*]:443 \
/home/hotels/*/certs/*.pem

(Untested).

Ole Tange
  • 33,591
  • 31
  • 102
  • 198