Let's Encrypt: HTTP and HTTPS with Multiple Subdomains


Let's Encrypt provides a wonderful public service... a free, user-friendly infrastructure for generating, managing, verifying, and renewing digital certificates to enable HTTPS on websites.  Although my website does not involve the transmission of sensitive data like credit cards, personally identifiable information, or passwords, I thought it was prudent for me to implement HTTPS since my speciality involves implementing secure technologies.  This article explains the leasons learned I gained when installing Let's Encrypt digital certificates on my Apache web server.  My web server supports HTTP and HTTPS access to multiple subdomains. Below provides important information to help simplify the process of implementing Let's Encrypt digital certificates in a multi-subdomain environment.

Create Multiple Virtual Hosts - You need to create a VirtualHost for the HTTP access AND a VirtualHost for each subdomain accessible via HTTPS.  IMPORTANT : Each VirtualHost definition must be specified in a single configuration file. The Let's Encrypt certbot will not operate correctly if multiple VirtualHosts are defined within a single configuration file. I defined three (3) VirtualHosts in three (3) different configuration files below. The httpd.conf file specifies the info.hueyise.com subdomain, the ssl.conf file specifies the www.hueyise.com subdomain, and the dummy.conf file specifies the hueyise.com subdomain.  The dummy.conf file serves no functional purpose within Apache (i.e., it will not cause an unnecessary 999 listening port), but it is necessary (in conjunction with the httpd.conf and ssl.conf files) for digital certificates to be successfully generated by certbot for info.hueyise.com, www.hueyise.com, and hueyise.com. 
Generate the Digital Certificate - The certbot utility allows you to generate a single digital certificate for multiple subdomains and guides you through the process of producing a Let's Encrypt certificate. I used the following command to generate a digital certificate for hueyise.com, www.hueyise.com, and info.hueyise.com. Go to the cerbot website to learn the specific commands and instructions relative to your server's operating system and web server software.  You will need to understand how to generate certificates, where they are stored, how to configure your web server to use them, and how to automate the 90-day renewal process.

Develop Website Access Conditions - Want to force all of your web traffic to HTTPS? Create Apache RewriteRules using the example below.  This configuration redirects all incoming HTTP traffic to HTTPS for each subdomain.  Google treats HTTP and HTTPS properties as unique so you will likely need to register a new HTTPS property if you use Google Webmaster Tools and you redirect all web traffic to HTTPS.  IMPORTANT: Notice the RewriteRule for the .well-known URI.  The .well-know URI is used during the Let's Encrypt renewal process and MUST NOT BE redirected to HTTPS or the renewal process will fail.