VirtualHosts and updating Let's Encrypt certs

NethServer Version: 7.6.1810 (final)
Module: Server Certificate

Hello Everyone!

I’m trying to confirm that Let’s Encrypt is actually updating my Virtual Host’s certificate, and I think it’s not doing it.

I have 5 VirtualHosts. When I run “config show pki” I get (trimmed output):


So it looks like it’s just updating one. In /var/log/letsencrypt/letsencrypt.log I see that cerbot runs only for

BTW, In “Server Certificate”, I have all the let’s encrypt certs, properly assigned to all Virtual Hosts. Firefox says the certificates are the right ones. In “Virtual Hosts”, the proper (let’s encrypt) certificate are chosen.

Is there any other configuration I have to do to update them?

Thanks for all your support and for making nethserver.


Have you seen the following description of Let’s encrypt installing?

But don’t forgot, it’s a template system, create a custom template for the vhost configuration.

Do your Virtual Hosts use a different certificate than the main server cert? And if so, why?

If HTTPS works on the virtual hosts, and you haven’t configured separate certificates for them, you can safely conclude that the main server cert covers them as well. If you want to confirm that, run certbot certificates and see what it says.

1 Like

Hmmm… I installed different certificates for different virtualhosts, because they are different clients or webpages. It makes sense to make one cert per vitualhost. Do you think it’s better to make one big certificate with all the fqdns and use it for all virtualhosts? Why?


It’s certainly simpler. One cert for everything, Neth renews it automatically, you’re good. It’s what I do, FWIW, but I’m not hosting for anyone but myself. The only real downside I see is that if a visitor to site1 actually views the certificate, they’ll see that it also covers site2 and site3. That doesn’t hurt anything, particularly, but it may expose information you don’t want to expose.

Now, if you wanted to use a EV cert for one of the virtual hosts, that would be a different issue–but the value of EV certs is highly questionable in any event.

Thanks. I read it. That blog entry describes how to install and configure let’s encrypt in CentOS 6 and 7, but it doesn’t say anything about doing it with Nethserver’s infrastructure (for example, about /usr/libexec/nethserver/letsencrypt-certs ). I think I have the idea of how to do it manually. What’s the best way to do it with Nethserver?

I find it weird to have one such big cert, but I’ll think about it. Maybe there’s nothing wrong with it and you’re right.


The only real issue is that management (adding or removing hostnames to/from the cert) is a little cumbersome with either the Neth server manager or certbot at the command line. If I use the server manager, I have to enter every hostname I want. If I use certbot, I need to feed it -d flags with every hostname I want. It seems you should be able to do something like certbot expand --cert-name -d new.hostname.tld and have new.hostname.tld added to the other FQDNs already on the cert–but it doesn’t work that way.

You can reduce the size of the cert by using wildcards, but those require DNS validation, which Neth doesn’t support through the GUI.

Perhaps the way of @mrmarkuz could help to understand how it is working:

It is not about the certificate, but changing the vost configuration for each vhost.

I think you can change the function to your needs

Thank you @m.traeumner . I think I found what I was looking for: there’s a systemd certbot-renew service that should renew all of them, and it seems enabled. I’m waiting for the certificates to be 61 days old, to see if they get updated by it. I’ll post my results for future references if it works.


1 Like