I like to use the certificate generation tool from acme.sh as it is just a shell script and uses basic linux utility programs to get everything setup instead of python and all it’s dependencies certbot uses. I use nginx for my webserver but prefer to edit the config files myself instead of letting the certificate tool make changes to them automatically so I use the standalone method also.

Install as root (note: don’t run as a single command, $HOME will not change to /root under normal sudo configuration for debian). This will also install a cronjob for root renewing the certs in the future for you automatically.

sudo -s
apt install socat # acme.sh requires this to launch a standalone web server
curl https://get.acme.sh | sh
source .bashrc # acme.sh puts its scripts on the PATH in .bashrc but this won't change until you relogin or source it like this

Issue certs with a standalone webserver. We stop the web server before hand as we need port 80 open.

acme.sh --issue --standalone -d sub1.xoce.kim -d sub2.xoce.kim -d sub3.xoce.kim --pre-hook "systemctl stop nginx"

Install certificates for all subdomains into /etc/ssl/private and restart the web server for changes to take effect.

acme.sh --install-cert --key-file /etc/ssl/private/mydomains.key --fullchain-file /etc/ssl/certs/mydomains.pem -d sub1.xoce.kim -d sub2.xoce.kim -d sub3.xoce.kim --reloadcmd "systemctl restart nginx"

Now to setup the webserver configs to use ssl and restart it, here is a simple nginx config with http to https redirection

server {
	listen 80;
	server_name sub3.xoce.kim;
	return 301 https://$server_name$request_uri;
}

server {
	server_name sub3.xoce.kim;
	listen 443 ssl;
	ssl_certificate /etc/ssl/certs/mydomains.pem;
	ssl_certificate_key /etc/ssl/private/mydomains.key;

	location / {
		root /var/www/html;
	}
}

Restart the webserver and we are done

systemctl restart nginx