Updated: 2026-02-26 12:50

I generate one cert with Let's Encrypt on a Ubuntu box that I use for reverse proxy (via nginx).
I have only a single IP address, so I use different ports for each service

Nginx proxies access to SMG, GW-Web, Webaccess and Retain.
The cert is also copied to Filr, GMS and GW-Web servers for direct use. (eg. I didn't want to proxy all Filr or GMS traffic).

The cert I generate has:
Common Name: in.example.com

and these Subject Alt Names:

DNS Name in.example.com
DNS Name filr.example.com
DNS Name gwweb.example.com
DNS Name mobility.example.com
DNS Name retain.example.com
DNS Name smg.example.com
DNS Name webmail.example.com

So the one regularly-renewing cert solves the SSL issue for 7 back-end services that all run on separate ports (directly or via proxy)
443 (GMS/mobility)
6443 (Webaccess)
7443 (GW-Web)
8443 (Filr)
20443 (SMG)
48443 (Retain)

Below are the files I use in the process.

Copy-LE-Certs-around.sh
#!/bin/bash
# To activate this script, put it in the folder: /etc/letsencrypt/renewal-hooks/deploy

# Go to the current cert files (fullchain.pem, privkey.pem, cert.pem)
cd /etc/letsencrypt/live/in.example.com

# Send cert to Filr
scp fullchain.pem root@filr:/vastorage/conf/certs/vachain.crt
scp privkey.pem root@filr:/vastorage/conf/certs/vaserver.key
scp cert.pem root@filr:/vastorage/conf/certs/vaserver.crt
# See below for copycerts.sh content
ssh root@filr '/root/copycerts.sh'

# Send cert to Mobility/GMS server
# Create a combo passwordlesskey+cert+chain file!
cat privkey.pem fullchain.pem > mobility.pem
scp mobility.pem root@mobility:/var/lib/datasync/device/mobility.pem
scp mobility.pem root@mobility:/var/lib/datasync/webadmin/server.pem
# Restart mobility server (or restart just the mobility/GMS services).
ssh root@mobility 'reboot'

# Send cert to webmail server
# Use the above combo file in Apache2 (.conf edited to use cert=mobility.pem. No key or CA chain needed)
# Webaccess
scp mobility.pem root@webmail:/etc/ssl/servercerts/mobility.pem
# GW-Web
# Overwrite the docker-expected certs
ssh root@webmail 'cp /etc/ssl/servercerts/mobility.pem /etc/ssl/servercerts/server.crt'
ssh root@webmail 'cp /etc/ssl/servercerts/mobility.pem /etc/ssl/servercerts/server.key'
# Restart Webaccess and GW-Web services
ssh root@webmail 'rcapache2 reload'
ssh root@webmail 'docker restart gwweb'


copycerts.sh
# This lives on Filr server in the /root folder.
# Create pfx format and copy it to keystore for port 9443 jetty use and restart server
openssl pkcs12 -export -out /vastorage/conf/certs/vaserver.p12 -in /vastorage/conf/certs/vaserver.crt -inkey /vastorage/conf/certs/vaserver.key -password pass:changeit
/bin/cp -f /vastorage/conf/certs/vaserver.p12 keystore
reboot


# NGINX default website on aka: /etc/nginx/sites-available/default

# SMG (on port 20443)
server {

# Note: port 80 is not need for certbot or the applications, but one could open it here if desired
# listen 80 ;

server_name smg.example.com;
location / {
# fetch content from :443 but listen (below) on :20443
proxy_pass https://192.168.0.3:443/;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
}

listen 20443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/in.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/in.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

# GW-WEB (on port 7443)
server {
server_name webmail.example.com;
location / {
proxy_pass https://192.168.0.30:7443/;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;

# auth_basic "Access code required";
# auth_basic_user_file /etc/nginx/.htpasswd;
}

listen 7443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/in.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/in.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

# Webaccess (on port 6443)
server {
server_name webmail.example.com;
location / {
proxy_pass https://192.168.0.30:6443/;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;

# auth_basic "Access code required";
# auth_basic_user_file /etc/nginx/.htpasswd;
}

listen 6443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/in.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/in.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

# Retain (on port (48443)
server {
server_name retain.example.com;
location / {
proxy_pass http://192.168.0.7:48080/;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;

}

listen 48443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/in.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/in.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}