CloudStick is a server control panel for developers and agencies that lets you manage cloud servers on AWS, DigitalOcean, Vultr, Linode, and Hetzner without using the command line. Plans start at $9/month — the Basic plan covers 1 server with unlimited websites; Pro at $19/month and Business at $49/month cover unlimited servers.

Will features I pay for ever get moved to a higher plan?

No. CloudStick is committed to keeping all features you currently pay for within your existing plan. New features may be added to higher tiers, but existing plan features will never be removed or require a forced upgrade.

What happens to my servers if I cancel CloudStick?

Your servers remain fully operational after cancellation. CloudStick does not host your servers — it manages them. If you cancel, you lose access to the CloudStick dashboard, but your servers continue running on your cloud provider.

Is there a free trial for CloudStick?

Yes. CloudStick offers a 7-day free trial on all paid plans with no credit card required. You can explore every feature and upgrade, downgrade, or cancel at any time during or after the trial.

SSL & SECURITY

Jun 24, 2026

How to Set Up SSL for Multiple Domains on One Server

9 min read

CloudStick Team

Security Specialist

Share this article

Multiple domains, one server

How SNI Makes Multiple SSL Certs Possible

Server Name Indication (SNI) is a TLS extension that allows the client to specify which domain it's connecting to during the TLS handshake — before any HTTP data is exchanged. Without SNI, a server could only present one certificate per IP address on port 443, because the TLS handshake happens before the HTTP Host header is sent. With SNI (supported by all modern browsers and TLS clients since 2010), the server inspects the requested hostname and presents the matching certificate for that domain. This means a single IP address can serve hundreds of domains, each with its own certificate.

TIP

Modern Nginx enables SNI by default. You don't configure SNI explicitly — it activates automatically when you define multiple server blocks on port 443, each with a different server_name and ssl_certificate.

Option 1: Separate Certificate per Domain

The simplest approach: issue one certificate per domain via Certbot, and create a separate Nginx server block for each. This is the default when you run certbot --nginx -d domain.com for each domain. Each certificate renews independently so a renewal failure on one domain doesn't affect others.

# Issue certs for each domain separately
sudo certbot certonly --webroot -w /var/www/site1 -d site1.com -d www.site1.com
sudo certbot certonly --webroot -w /var/www/site2 -d site2.com -d www.site2.com
# Nginx config — two server blocks on port 443
server {
    listen 443 ssl http2;
    server_name site1.com www.site1.com;
    ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
    root /var/www/site1;
}
server {
    listen 443 ssl http2;
    server_name site2.com www.site2.com;
    ssl_certificate /etc/letsencrypt/live/site2.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site2.com/privkey.pem;
    root /var/www/site2;
}

Option 2: One Multi-Domain SAN Certificate

A Subject Alternative Names (SAN) certificate covers multiple unrelated domains under one cert. Certbot accepts multiple -d flags to issue a single certificate covering all of them. The certificate will appear under the first domain's name in /etc/letsencrypt/live/. Note: Let's Encrypt allows up to 100 SANs per certificate. The trade-off is that all domains renew together — if renewal fails for any domain in the list, the whole cert fails to renew.

# Issue one cert covering multiple unrelated domains
sudo certbot certonly --webroot \
  -w /var/www/site1 -d site1.com -d www.site1.com \
  -w /var/www/site2 -d site2.com -d www.site2.com
# Cert stored at /etc/letsencrypt/live/site1.com/
# Both server blocks point to the same cert files

Option 3: Wildcard Certificate for Subdomains

If your multiple “domains” are actually subdomains of a single parent (e.g. client1.youragency.com, client2.youragency.com), a wildcard certificate (*.youragency.com) is the cleanest option. One certificate covers all present and future subdomains and renews as a single unit. The trade-off is that wildcard certificates require DNS-01 challenge validation, which means you need API access to your DNS provider at renewal time.

Managing Many Virtual Hosts in Nginx

At scale, keeping all virtual hosts in one nginx.conf becomes unmanageable. The standard practice is one config file per domain in /etc/nginx/sites-available/, symlinked to /etc/nginx/sites-enabled/. Nginx loads all configs from sites-enabled/ via the include /etc/nginx/sites-enabled/*; directive. To disable a site you remove the symlink without deleting the config file.

CloudStick: Unlimited Domains, One Panel

CloudStick abstracts all of the above. When you add a website on a CloudStick-managed server, the platform creates the Nginx virtual host configuration, issues a dedicated Let's Encrypt certificate for that domain, sets up the HTTP-to-HTTPS redirect, and configures auto-renewal — all without touching the command line. Adding 20 domains to a server takes 20 dashboard clicks, not 20 Certbot commands and 20 Nginx config edits. Each domain has its own certificate that renews independently, so a renewal hiccup on one site doesn't affect any other.