I have a working setup for multiple virtual hosts on the same server, but there’s a problem: all the server’s SSL certificates are unnecessarily renewed, and moved, whenever a vhost is added.

In this setup, each vhost has a separate .conf file, and the host is individually enabled with a2ensite.

For 2 sites, this looks like:

MDomain foo.com
MDStoreDir /var/apache-md/foo.com
<VirtualHost *:443>
  ServerName foo.com
  DocumentRoot /var/www1
  ...
</VirtualHost>

and:

MDomain bar.com
MDStoreDir /var/apache-md/bar.com
<VirtualHost *:443>
  ServerName bar.com
  DocumentRoot /var/www2
  ...
</VirtualHost>

When I enable foo.com and reload Apache, I get a certificate in /var/apache-md/foo.com/domains/foo.com/pubcert.pem. So far, so good. But when I later enable bar.com, I now get 2 new sets of certificates, and end up with:

1. /var/apache-md/foo.com/domains/foo.com/pubcert.pem
2. /var/apache-md/bar.com/domains/foo.com/pubcert.pem
3. /var/apache-md/bar.com/domains/bar.com/pubcert.pem

If I run

$ openssl s_client -connect foo.com:443 -prexit

I find that Apache is now serving certificate 2 for foo.com, not certificate 1. This is obviously not a good way to do this: it seems that every time I add a vhost all the certificates get renewed and are all stored in the location for the last host added.

I have also tried setting MDStoreDir to the same location (/var/apache-md) for all hosts, but I couldn’t get this to work. mod_md seems to check whether this directory exists. If it already exists, it won’t get a new certificate. Any ideas on how to best do this?

No idea which version of mod_md I’m using; there doesn’t seem to be a way to find out. It’s fairly recent (Apache 2.4.52 on Ubunut 22.04).