DEV Community

Cover image for Generate your Let's Encrypt Digital Certificates for all your domains using Apache
rodit-org
rodit-org

Posted on • Edited on

Generate your Let's Encrypt Digital Certificates for all your domains using Apache

As someone who's dealt with their fair share of digital certificate headaches, I'm sharing a comprehensive guide to setting up and managing SSL/TLS certificates with Apache. You may actually use a different web server, but Apache seems to be the easiest way to achieve this. Once you are done, you just have to copy the generated certificates to the right directories in your web server of choice.

Initial DNS Setup

First, ensure all your domains point to your server:

# Create A records for each domain
domain1.com -> server_ip
www.domain1.com -> server_ip
domain2.com -> server_ip
www.domain2.com -> server_ip
domain3.com -> server_ip
www.domain3.com -> server_ip
Enter fullscreen mode Exit fullscreen mode

Directory Structure

Create an organized directory structure that scales with multiple domains:

# Create base directories
sudo mkdir -p /var/www/domains
# Create individual domain directories
for domain in domain1.com domain2.com domain3.com; do
    sudo mkdir -p /var/www/domains/$domain/public_html
    sudo mkdir -p /var/www/domains/$domain/logs
    sudo chown -R $USER:$USER /var/www/domains/$domain
    sudo chmod -R 755 /var/www/domains/$domain
done
Enter fullscreen mode Exit fullscreen mode

Virtual Host Configuration

Create separate virtual host files for each domain:

# Create configuration files
for domain in domain1.com domain2.com domain3.com; do
    sudo touch /etc/apache2/sites-available/$domain.conf
done
Enter fullscreen mode Exit fullscreen mode

Template for each domain's virtual host (example for domain1.com):

<VirtualHost *:80>
    ServerAdmin webmaster@domain1.com
    ServerName domain1.com
    ServerAlias www.domain1.com
    DocumentRoot /var/www/domains/domain1.com/public_html
    ErrorLog /var/www/domains/domain1.com/logs/error.log
    CustomLog /var/www/domains/domain1.com/logs/access.log combined

    <Directory /var/www/domains/domain1.com/public_html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>
Enter fullscreen mode Exit fullscreen mode

Batch Certificate Management

Here's how to efficiently manage certificates for multiple domains:

# Install Certbot
sudo apt install certbot python3-certbot-apache

# Create a domains list file
echo "domain1.com www.domain1.com" > domains.txt
echo "domain2.com www.domain2.com" >> domains.txt
echo "domain3.com www.domain3.com" >> domains.txt

# Obtain certificates for all domains in one command
sudo certbot --apache $(cat domains.txt | tr '\n' ' ')
Enter fullscreen mode Exit fullscreen mode

Automated Renewal Management

Create a renewal management script:

#!/bin/bash
# /usr/local/bin/cert-renew-manager.sh

# Renew all certificates
certbot renew

# Check renewal status for each domain
for domain in domain1.com domain2.com domain3.com; do
    cert_path="/etc/letsencrypt/live/$domain/fullchain.pem"
    if [ -f "$cert_path" ]; then
        expiry_date=$(openssl x509 -enddate -noout -in "$cert_path" | cut -d= -f2)
        echo "Domain: $domain - Certificate expires: $expiry_date"
    else
        echo "Warning: No certificate found for $domain"
    fi
done
Enter fullscreen mode Exit fullscreen mode

Batch Security Configuration

Apply security headers to all domains:

# Create a common security configuration
sudo tee /etc/apache2/conf-available/security-headers.conf << EOF
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
EOF

# Enable for all sites
sudo a2enconf security-headers
Enter fullscreen mode Exit fullscreen mode

Monitoring and Maintenance

Create a monitoring script for multiple domains:

#!/bin/bash
# /usr/local/bin/cert-monitor.sh

domains=("domain1.com" "domain2.com" "domain3.com")
notification_email="admin@yourdomain.com"

for domain in "${domains[@]}"; do
    expiry=$(openssl s_client -connect ${domain}:443 -servername ${domain} </dev/null 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
    expiry_epoch=$(date -d "$expiry" +%s)
    current_epoch=$(date +%s)
    days_left=$(( ($expiry_epoch - $current_epoch) / 86400 ))

    if [ $days_left -lt 30 ]; then
        echo "Warning: Certificate for $domain expires in $days_left days" | mail -s "Certificate Expiry Warning" $notification_email
    fi
done
Enter fullscreen mode Exit fullscreen mode

Batch Testing

Create a comprehensive test script:

#!/bin/bash
# /usr/local/bin/cert-test.sh

# Test Apache configuration
sudo apache2ctl configtest

# Test SSL configuration for each domain
for domain in domain1.com domain2.com domain3.com; do
    echo "Testing SSL configuration for $domain"
    curl -sI https://$domain | head -n 1
    openssl s_client -connect ${domain}:443 -servername ${domain} </dev/null 2>/dev/null | openssl x509 -noout -dates
done
Enter fullscreen mode Exit fullscreen mode

Recovery Procedures

Create a backup script for all certificates:

#!/bin/bash
# /usr/local/bin/cert-backup.sh

backup_dir="/root/cert-backups/$(date +%Y%m%d)"
mkdir -p $backup_dir

# Backup all certificates and configurations
sudo cp -r /etc/letsencrypt $backup_dir/
sudo cp -r /etc/apache2/sites-available $backup_dir/

# Archive the backup
tar -czf $backup_dir.tar.gz $backup_dir
rm -rf $backup_dir
Enter fullscreen mode Exit fullscreen mode

Conclusion

Managing multiple domains requires more automation and organization, but with these scripts and structures in place, you can efficiently manage dozens of domains without increasing administrative overhead. Remember to:

  • Keep domain lists updated
  • Run regular batch tests
  • Maintain comprehensive backups
  • Monitor all domains systematically
  • Document any domain-specific configurations

This approach scales well whether you're managing a handful of domains or hundreds, while keeping your certificate management process clean and maintainable.

Billboard image

Deploy and scale your apps on AWS and GCP with a world class developer experience

Coherence makes it easy to set up and maintain cloud infrastructure. Harness the extensibility, compliance and cost efficiency of the cloud.

Learn more

Top comments (0)

Billboard image

Try REST API Generation for Snowflake

DevOps for Private APIs. Automate the building, securing, and documenting of internal/private REST APIs with built-in enterprise security on bare-metal, VMs, or containers.

  • Auto-generated live APIs mapped from Snowflake database schema
  • Interactive Swagger API documentation
  • Scripting engine to customize your API
  • Built-in role-based access control

Learn more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay