An SSL certificate with several names seems to be the simplest solution. Here is outline of 1 way to do it:
* Automate using https://github.com/srvrco/getssl to get certificates
* Let's encrypt with 1 main domain, other domains consider as alternative names
Steps
1. Initialize configurations: getssl -c MAIN.DOMAIN
2. Change CA to production, ACCOUNT_EMAIL in ~/.getssl/getssl.cfg
3. Enter SANS, ACL,RELOAD_CMD in ~/.getssl/MAIN.DOMAIN/getssl.cfg
ACL is path (public accessible via URL) to verify your domains.
it must have same number of lines as number of your domains.
RELOAD_CMD can be
sudo nginx -s reloadLet's current user is deploy. visudo to allow:
deploy ALL=NOPASSWD:/usr/sbin/nginx
4. Get certificates: getssl MAIN.DOMAIN
5. Configure nginx to use certificates in ~/.getssl/MAIN.DOMAIN
6. Automate renew using cron
23 5 * * * /home/deploy/scripts/getssl -u -a -q