Letsencrypt for multiple domains on Nginx

Posted September 10, 2016 63.9k views
UbuntuLet's Encrypt

I have a Nginx server setup with virtual host. There are many domains are hosted and all the running WordPress websites. Is there any tutorial available to implement Letsencrypt on Nginx virtual host? I want to keep all my website running perfectly. Please share.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
4 answers

The SSL certificate needs to contain several names, in the SubjectAltName certificate field, for example, you might want to have and domains. Note the SubjectAltName field length is limited, to about 1000 characters IIRC.

If you’re using Let’s Encrypt (as is the case in the nginx tutorial @kamaln7 referred to), then you can generate a SSL certificate for the domains.

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/default/html/ -d -d

Update the /etc/nginx/sites-available/ and /etc/nginx/sites-available/ accordingly. A /etc/nginx/sites-available/default is not need. See the diff:

server {                                                        server {
  listen 80;                                                      listen 80;
  listen [::]:80;                                                 listen [::]:80;
  server_name;                                    |   server_name;
  return 301 https://$server_name$request_uri;                    return 301 https://$server_name$request_uri;
}                                                               }
server {                                                        server {
  server_name;                                    |   server_name;
  listen 443 ssl http2;                                           listen 443 ssl http2;
  listen [::]:443 ssl http2;                                      listen [::]:443 ssl http2;

  ssl_certificate /etc/letsencrypt/live/default/fullchain.pem     ssl_certificate /etc/letsencrypt/live/default/fullchain.pem
  ssl_certificate_key /etc/letsencrypt/live/default/privkey.p     ssl_certificate_key /etc/letsencrypt/live/default/privkey.p
  include snippets/ssl-params.conf;                               include snippets/ssl-params.conf;

  root /var/www/;                             |   root /var/www/;
  index index.php                                                 index index.php 
  location / {                                                    location / {
    try_files $uri $uri/ /index.html =404;                          try_files $uri $uri/ /index.html =404;
    autoindex on;                                                   autoindex on;
  }                                                               }
  location ~ /.well-known {                                       location ~ /.well-known {
    allow all;                                                      allow all;
  }                                                               }
  location ~ \.php$ {                                             location ~ \.php$ {
    include snippets/fastcgi-php.conf;                              include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php5-fpm.sock;                       fastcgi_pass unix:/var/run/php5-fpm.sock;
  }                                                               }
}                                                               }

Note the folder that contains the SSL certificates /etc/letsencrypt/live/default/. You may need rename the folders that letsencrypt generated.

  • Hi - Thanks for providing this. It raises a question as I see this path


    I am able to create this but it won’t be an actual website folder..I am guessing it’s a utility?

    Could I use anything such as --webroot-path=/var/www/default/

  • I also felt that this part of the tutorial mentioned was not clear..

    location ~ /.well-known { 
    allow all;

    Do we need to do this
    cd ~/
    mkdir .well-known

    root@lany:~# cd ~/
    root@lany:~# pwd

    Thanks for any clarification.

  • Thanks. Very helpful!!!!
    To clarify one thing I had to figure out – the location of –webroot-path should be where you indiscriminately serve static files from.

    The cert tool will put a file in there and try to hit it to prove you own this domain. EX: your site is called, and your static files are served from ~/mysite/static
    say –webroot-path=~/mysite/static
    Certbot will create testfile at ~/mysite/static/testcaniloadthis.txt and attempt to hit

    If they can load it then you will get your certs.


Let’s Encrypt is very simple to set up with Nginx. This tutorial will walk you through all the necessary steps to do that.

It is, however, written for setups where there is only one server block present. So, if you replace /etc/nginx/sites-available/default with the correct path for each server block, you should be fine.

At the end of Step 2, a Diffie-Hellman group is generated. Because it is shared between all server blocks, you only need to perform that step once.

by Mitchell Anicas
In this tutorial, we will show you how to use Let's Encrypt to obtain a free SSL certificate and use it with Nginx on Ubuntu 16.04. We will also show you how to automatically renew your SSL certificate. If you're running a different web server, simply follow your web server's documentation to learn how to use the certificate with your setup.
  • This is a great tutorial, however, his question isn’t how to do encrypt with one domain, but more than one. It’s not sufficient to have multiple blocks in /etc/nginx/sites-available/ because one site is valid, but another won’t be (even if it was before). The problem is NET::ERR_CERT_AUTHORITY_INVALID occurs in one of the domains.

I know this is an old post, but if anyone comes and see it @sunapi386 is completely correct with the certonly and the webroot commands. If you are interested on how to do it for multiple domains located in different paths there is a nice example on the certbot user guide

Hi, i had trouble with this situation. i hav followed @kamaln7 suggestion but one of my domain cant be accessed because the certificate belong to my other domain.
How is the server blocks for each domain? is there any different in listen 443 ssl http2 ?
i use this in both :

listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;