Apache mod_md: procedure for handling multiple VirtualHosts?


This Content is from ServerFault. Question asked by EML

I have a working setup for multiple virtual hosts on the same server, but there’s a problem: all the server’s SSL certificates are unnecessarily renewed, and moved, whenever a vhost is added.

In this setup, each vhost has a separate .conf file, and the host is individually enabled with a2ensite.

For 2 sites, this looks like:

MDomain foo.com
MDStoreDir /var/apache-md/foo.com
<VirtualHost *:443>
  ServerName foo.com
  DocumentRoot /var/www1


MDomain bar.com
MDStoreDir /var/apache-md/bar.com
<VirtualHost *:443>
  ServerName bar.com
  DocumentRoot /var/www2

When I enable foo.com and reload Apache, I get a certificate in /var/apache-md/foo.com/domains/foo.com/pubcert.pem. So far, so good. But when I later enable bar.com, I now get 2 new sets of certificates, and end up with:

  1. /var/apache-md/foo.com/domains/foo.com/pubcert.pem
  2. /var/apache-md/bar.com/domains/foo.com/pubcert.pem
  3. /var/apache-md/bar.com/domains/bar.com/pubcert.pem

If I run

$ openssl s_client -connect foo.com:443 -prexit

I find that Apache is now serving certificate 2 for foo.com, not certificate 1. This is obviously not a good way to do this: it seems that every time I add a vhost all the certificates get renewed and are all stored in the location for the last host added.

I have also tried setting MDStoreDir to the same location (/var/apache-md) for all hosts, but I couldn’t get this to work. mod_md seems to check whether this directory exists. If it already exists, it won’t get a new certificate. Any ideas on how to best do this?

No idea which version of mod_md I’m using; there doesn’t seem to be a way to find out. It’s fairly recent (Apache 2.4.52 on Ubunut 22.04).


This question is not yet answered, be the first one who answer using the comment. Later the confirmed answer will be published as the solution.

This Question and Answer are collected from serverfault, is licensed under the terms of CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.

people found this article helpful. What about you?