Generate your Let's Encrypt Digital Certificates for all your domains using Apache

As someone who's dealt with their fair share of digital certificate headaches, I'm sharing a comprehensive guide to setting up and managing SSL/TLS certificates with Apache. You may actually use a different web server, but Apache seems to be the easiest way to achieve this. Once you are done, you just have to copy the generated certificates to the right directories in your web server of choice.

Initial DNS Setup

First, ensure all your domains point to your server:

# Create A records for each domain
domain1.com -> server_ip
www.domain1.com -> server_ip
domain2.com -> server_ip
www.domain2.com -> server_ip
domain3.com -> server_ip
www.domain3.com -> server_ip

Directory Structure

Create an organized directory structure that scales with multiple domains:

# Create base directories
sudo mkdir -p /var/www/domains
# Create individual domain directories
for domain in domain1.com domain2.com domain3.com; do
    sudo mkdir -p /var/www/domains/$domain/public_html
    sudo mkdir -p /var/www/domains/$domain/logs
    sudo chown -R $USER:$USER /var/www/domains/$domain
    sudo chmod -R 755 /var/www/domains/$domain
done

Virtual Host Configuration

Create separate virtual host files for each domain:

# Create configuration files
for domain in domain1.com domain2.com domain3.com; do
    sudo touch /etc/apache2/sites-available/$domain.conf
done

Template for each domain's virtual host (example for domain1.com):

<VirtualHost *:80>
    ServerAdmin webmaster@domain1.com
    ServerName domain1.com
    ServerAlias www.domain1.com
    DocumentRoot /var/www/domains/domain1.com/public_html
    ErrorLog /var/www/domains/domain1.com/logs/error.log
    CustomLog /var/www/domains/domain1.com/logs/access.log combined

    <Directory /var/www/domains/domain1.com/public_html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Batch Certificate Management

Here's how to efficiently manage certificates for multiple domains:

# Install Certbot
sudo apt install certbot python3-certbot-apache

# Create a domains list file
echo "domain1.com www.domain1.com" > domains.txt
echo "domain2.com www.domain2.com" >> domains.txt
echo "domain3.com www.domain3.com" >> domains.txt

# Obtain certificates for all domains in one command
sudo certbot --apache $(cat domains.txt | tr '\n' ' ')

Automated Renewal Management

Create a renewal management script:

#!/bin/bash
# /usr/local/bin/cert-renew-manager.sh

# Renew all certificates
certbot renew

# Check renewal status for each domain
for domain in domain1.com domain2.com domain3.com; do
    cert_path="/etc/letsencrypt/live/$domain/fullchain.pem"
    if [ -f "$cert_path" ]; then
        expiry_date=$(openssl x509 -enddate -noout -in "$cert_path" | cut -d= -f2)
        echo "Domain: $domain - Certificate expires: $expiry_date"
    else
        echo "Warning: No certificate found for $domain"
    fi
done

Batch Security Configuration

Apply security headers to all domains:

# Create a common security configuration
sudo tee /etc/apache2/conf-available/security-headers.conf << EOF
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
EOF

# Enable for all sites
sudo a2enconf security-headers

Monitoring and Maintenance

Create a monitoring script for multiple domains:

#!/bin/bash
# /usr/local/bin/cert-monitor.sh

domains=("domain1.com" "domain2.com" "domain3.com")
notification_email="admin@yourdomain.com"

for domain in "${domains[@]}"; do
    expiry=$(openssl s_client -connect ${domain}:443 -servername ${domain} </dev/null 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
    expiry_epoch=$(date -d "$expiry" +%s)
    current_epoch=$(date +%s)
    days_left=$(( ($expiry_epoch - $current_epoch) / 86400 ))

    if [ $days_left -lt 30 ]; then
        echo "Warning: Certificate for $domain expires in $days_left days" | mail -s "Certificate Expiry Warning" $notification_email
    fi
done

Batch Testing

Create a comprehensive test script:

#!/bin/bash
# /usr/local/bin/cert-test.sh

# Test Apache configuration
sudo apache2ctl configtest

# Test SSL configuration for each domain
for domain in domain1.com domain2.com domain3.com; do
    echo "Testing SSL configuration for $domain"
    curl -sI https://$domain | head -n 1
    openssl s_client -connect ${domain}:443 -servername ${domain} </dev/null 2>/dev/null | openssl x509 -noout -dates
done

Recovery Procedures

Create a backup script for all certificates:

#!/bin/bash
# /usr/local/bin/cert-backup.sh

backup_dir="/root/cert-backups/$(date +%Y%m%d)"
mkdir -p $backup_dir

# Backup all certificates and configurations
sudo cp -r /etc/letsencrypt $backup_dir/
sudo cp -r /etc/apache2/sites-available $backup_dir/

# Archive the backup
tar -czf $backup_dir.tar.gz $backup_dir
rm -rf $backup_dir

Conclusion

Managing multiple domains requires more automation and organization, but with these scripts and structures in place, you can efficiently manage dozens of domains without increasing administrative overhead. Remember to:

• Keep domain lists updated
• Run regular batch tests
• Maintain comprehensive backups
• Monitor all domains systematically
• Document any domain-specific configurations

This approach scales well whether you're managing a handful of domains or hundreds, while keeping your certificate management process clean and maintainable.