Rapturezone

Multiple Domains Multiple Certificates Let’s Encrypt Certificates on WordPress Multisite AWS Lightsail using bncert-tool

by

Scenario

We have multiple blogs, multiple domains and need multiple SSL/TLS certificates.

We want 1 certificate per domain. We do NOT want one certificate re-used across the network. By default when using sudo /opt/bitnami/bncert-tool it will just cram ALL the certificate names into the SAN field. This is far from acceptable as it is a serious information leak.

Solution

Run sudo /opt/bitnami/bncert-tool multiple times.
Run it once for each certificate you want.

Problem

Each time you run /opt/bitnami/bncert-tool it reconfigures the system to use the latest certificate you created only.

It configures the server name in
/opt/bitnami/apps/wordpress/htdocs/wp-config.php with
define( ‘DOMAIN_CURRENT_SITE’, ‘rapturezone.com’ );


New Certificate is created at: /opt/bitnami/letsencrypt/certificates/rapturezone.com.crt
Symbolic link created to:
/opt/bitnami/apache2/conf/rapturezone.com.crt

New Private Key is created at:
/opt/bitnami/letsencrypt/certificates/rapturezone.com.key
Symbolic link created to:
/opt/bitnami/apache2/conf/rapturezone.com.key

Cron is emptied.
Only a job to renew the last created certificate

However it leaves the previous certificates and config still intact.
/opt/bitnami/letsencrypt/certificates
/opt/bitnami/letsencrypt/ remains intact.

Solution

Create a Virtual Host Per Certificate

sudo nano /opt/bitnami/apps/wordpress/conf/httpd-vhosts.conf
<VirtualHost *:80>
    ServerName rapturezone.com
    ServerAlias *.rapturezone.com
    DocumentRoot "/opt/bitnami/apps/wordpress/htdocs"
    Include "/opt/bitnami/apps/wordpress/conf/httpd-app.conf"
</VirtualHost>
<VirtualHost *:443>
    ServerName rapturezone.com
    ServerAlias *.rapturezone.com
    DocumentRoot "/opt/bitnami/apps/wordpress/htdocs"
    SSLEngine on
    SSLCertificateFile "/opt/bitnami/apache2/conf/rapturezone.com.crt"
    SSLCertificateKeyFile "/opt/bitnami/apache2/conf/rapturezone.com.key"
    Include "/opt/bitnami/apps/wordpress/conf/httpd-app.conf"
</VirtualHost>

Include the Virtual Hosts file in bitnami-apps-vhosts.conf

sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf
Include "/opt/bitnami/apps/wordpress/conf/httpd-vhosts.conf"

Manualy Add Cron Jobs to Renew Each Certificate

crontab -e
0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="letsencrypt@rapturezone.com" 
--http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=rapturezone.com renew 
&& sudo /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful # bncert-autorenew

Potential Problems

Next time you use sudo /opt/bitnami/bncert-tool to create a new certificate for a new domain.
Contab will be wiped and olny the last certificate job wil remain.
You will need to manualy add back in all previous certificates

Related

Google+