Add a second domain to a Let's Encrypt certificate or get a new certificate with 2 domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

== I have removed the template here because my problem can't be described within it. I didn't run any commands and didn't get any errors ==

My domain name is: www.badianyihou.com
I have installed a Let's Encrypt certificate with this domain name to the server (using dokku letsencrypt plugin) and it work's just fine. The website is opened and a secure connection is established.

Now I need to point another domain (www.mnnqdbk.xyz) to the same server, so I added this line to the DNS settings of the new domain:

Host Type Line(ISP) Value. TTL Status
zfw A Default 106.15.78.88 10 minute(s) Normal

Now when I try to visit www.mnnqdbk.xyz I get a warning:
The identity of this website has not been verified. Server's certificate does not match the URL.

Blockquote
This is true because my certificate only has 1 domain www.badianyihou.com

As I understand, I need to either get a new SSL certificate (probably a paid one) and add 2 domains there or somehow upgrade the current certificate (not sure if this is possible).

Please tell me what is the right thing to do for me. And give more details on how to do it.
For example, if I need to get a new certificate for 2 domains, please tell me whether this is doable through dokku letsencrypt plugin (so that I can enjoy the autorenewal with cron jobs).
Any details will be appreciated, thanks in advance!

1 Like

Why would you think you'd have to pay for your new certificate?

Changing an already existing certificate is technically the same as getting a new certificate. Definitions as "upgrade" or even "renewal" are just man-made terms meant to resemble some kind of similarity between a previous certificate and a brand new certificate. A CA might have different policy between "totally new", "updates" or "renewal" based on certain contents of a certificate (mostly the subject alternative names or perhaps the keypair of the cert), but technically every certificate is newly signed and newly issued.

You can either create a new certificate just for www.mnnqdbk.xyz (and possibly also add mnnqdbk.xyz if you like) or add your new domain name to the already existing certificate, so the certificate contains both domains. It really is up to you what you think is "better" in this case. Personally, I include all subdomains of a single domain into one certificate and generate a new certificate for other domains. But it's also perfectly fine to add all hostnames into a single certificiate. Whatever floats your boat.

I really have no idea what "dokku" is, let alone how the "dokku letsencrypt" plugin works. I also haven't seen that command around much (if ever?) on this Community, so chances are great nobody here has any experience with it. Doesn't the plugin have any documentation online on how to add/remove domains to a certificate or get a new certificate? How did you set it up in the first place?

It seems there are already multiple certificates issued for crt.sh | www.mnnqdbk.xyz Did you do that or was that from a previous owner of the domain name?

Also currently when I go to www.mnnqdbk.xyz and ignore the TLS error, I'm getting the same site contents of your other domain. Is that intentionally? Or are the sites suppose to serve different content? Maybe your dokku apps need to be properly set up first?

3 Likes

Hey, thanks for your reply! It made me understand what needs to be done. I added the www.mnnqdbk.xyz to the dokku apps domains and renewed the certificate. It seem to have worked well, here are the logs of renewing the certificate:

Blockquote
root@iZuf6d553vzl5isdk61egyZ:~# dokku letsencrypt:enable zfw-rails
=====> Enabling letsencrypt for zfw-rails
-----> Enabling ACME proxy for zfw-rails...
Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for zfw-rails...
- Domain 'badianyihou.com'
- Domain 'www.badianyihou.com'
- Domain 'mnnqdbk.xyz'
- Domain 'www.mnnqdbk.xyz'
2021/12/23 13:13:33 No key found for account info@badianyihou.com. Generating a P256 key.
2021/12/23 13:13:33 Saved key to /certs/accounts/acme-v02.api.letsencrypt.org/info@badianyihou.com/keys/info@badianyihou.com.key
2021/12/23 13:13:34 [INFO] acme: Registering account for info@badianyihou.com
!!!! HEADS UP !!!!

   Your account credentials have been saved in your Let's Encrypt
   configuration directory at "/certs/accounts".
   
   You should make a secure backup of this folder now. This
   configuration directory will also contain certificates and
   private keys obtained from Let's Encrypt so making regular
   backups of this folder is ideal.
   2021/12/23 13:13:35 [INFO] [badianyihou.com, www.badianyihou.com, mnnqdbk.xyz, www.mnnqdbk.xyz] acme: Obtaining bundled SAN certificate
   2021/12/23 13:13:36 [INFO] [badianyihou.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/61254476370
   2021/12/23 13:13:36 [INFO] [mnnqdbk.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/61254476380
   2021/12/23 13:13:36 [INFO] [www.badianyihou.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/61254476390
   2021/12/23 13:13:36 [INFO] [www.mnnqdbk.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/61254476400
   2021/12/23 13:13:36 [INFO] [badianyihou.com] acme: Could not find solver for: tls-alpn-01
   2021/12/23 13:13:36 [INFO] [badianyihou.com] acme: use http-01 solver
   2021/12/23 13:13:36 [INFO] [mnnqdbk.xyz] acme: Could not find solver for: tls-alpn-01
   2021/12/23 13:13:36 [INFO] [mnnqdbk.xyz] acme: use http-01 solver
   2021/12/23 13:13:36 [INFO] [www.badianyihou.com] acme: Could not find solver for: tls-alpn-01
   2021/12/23 13:13:36 [INFO] [www.badianyihou.com] acme: use http-01 solver
   2021/12/23 13:13:36 [INFO] [www.mnnqdbk.xyz] acme: Could not find solver for: tls-alpn-01
   2021/12/23 13:13:36 [INFO] [www.mnnqdbk.xyz] acme: use http-01 solver
   2021/12/23 13:13:36 [INFO] [badianyihou.com] acme: Trying to solve HTTP-01
   2021/12/23 13:13:37 [INFO] [badianyihou.com] Served key authentication
   2021/12/23 13:13:37 [INFO] [badianyihou.com] Served key authentication
   2021/12/23 13:13:37 [INFO] [badianyihou.com] Served key authentication
   2021/12/23 13:13:38 [INFO] [badianyihou.com] Served key authentication
   2021/12/23 13:13:43 [INFO] [badianyihou.com] The server validated our request
   2021/12/23 13:13:43 [INFO] [mnnqdbk.xyz] acme: Trying to solve HTTP-01
   2021/12/23 13:13:43 [INFO] [mnnqdbk.xyz] Served key authentication
   2021/12/23 13:13:43 [INFO] [mnnqdbk.xyz] Served key authentication
   2021/12/23 13:13:44 [INFO] [mnnqdbk.xyz] Served key authentication
   2021/12/23 13:13:44 [INFO] [mnnqdbk.xyz] Served key authentication
   2021/12/23 13:13:50 [INFO] [mnnqdbk.xyz] The server validated our request
   2021/12/23 13:13:50 [INFO] [www.badianyihou.com] acme: Trying to solve HTTP-01
   2021/12/23 13:13:51 [INFO] [www.badianyihou.com] Served key authentication
   2021/12/23 13:13:51 [INFO] [www.badianyihou.com] Served key authentication
   2021/12/23 13:13:52 [INFO] [www.badianyihou.com] Served key authentication
   2021/12/23 13:13:57 [INFO] [www.badianyihou.com] Served key authentication
   2021/12/23 13:14:04 [INFO] [www.badianyihou.com] The server validated our request
   2021/12/23 13:14:04 [INFO] [www.mnnqdbk.xyz] acme: Trying to solve HTTP-01
   2021/12/23 13:14:05 [INFO] [www.mnnqdbk.xyz] Served key authentication
   2021/12/23 13:14:05 [INFO] [www.mnnqdbk.xyz] Served key authentication
   2021/12/23 13:14:05 [INFO] [www.mnnqdbk.xyz] Served key authentication
   2021/12/23 13:14:07 [INFO] [www.mnnqdbk.xyz] Served key authentication
   2021/12/23 13:14:09 [INFO] [www.mnnqdbk.xyz] The server validated our request
   2021/12/23 13:14:09 [INFO] [badianyihou.com, www.badianyihou.com, mnnqdbk.xyz, www.mnnqdbk.xyz] acme: Validations succeeded; requesting certificates
   2021/12/23 13:14:10 [INFO] [badianyihou.com] Server responded with a certificate.

-----> Certificate retrieved successfully.
-----> Installing let's encrypt certificates
-----> Unsetting DOKKU_PROXY_PORT
-----> Unsetting DOKKU_PROXY_SSL_PORT
-----> Setting config vars
DOKKU_PROXY_PORT_MAP: http:80:5000
-----> Setting config vars
DOKKU_PROXY_PORT_MAP: http:80:5000 https:443:5000
-----> Configuring badianyihou.com...(using built-in template)
-----> Configuring mnnqdbk.xyz...(using built-in template)
-----> Configuring www.badianyihou.com...(using built-in template)
-----> Configuring www.mnnqdbk.xyz...(using built-in template)
-----> Creating https nginx.conf
Enabling HSTS
Reloading nginx
-----> Configuring badianyihou.com...(using built-in template)
-----> Configuring mnnqdbk.xyz...(using built-in template)
-----> Configuring www.badianyihou.com...(using built-in template)
-----> Configuring www.mnnqdbk.xyz...(using built-in template)
-----> Creating https nginx.conf
Enabling HSTS
Reloading nginx
-----> Disabling ACME proxy for zfw-rails...
Reloading nginx configuration (via systemctl): nginx.service.
-----> Done

But now for some reason I have a warning shown when I visit www.badianyihou.com

Which should be still working fine, as the new certificate includes 4 domains: badianyihou.com, mnnqdbk.xyz, www.badianyihou.com, www.mnnqdbk.xyz

Do you know, what causes the validation failure?

P.S. answering this:

Blockquote
Also currently when I go to www.mnnqdbk.xyz and ignore the TLS error, I'm getting the same site contents of your other domain. Is that intentionally? Or are the sites suppose to serve different content? Maybe your dokku apps need to be properly set up first?

Yes, they should show the same content.

2 Likes

Ok everything solved, the latest issue was related to this topic:

It seems the dokku let's encrypt plugin adds all the hostnames to a single certificate. Which is fine if you're fine with that :slight_smile:

Not sure what happened at the end though, everything seems to be fine from my point of view :slight_smile:

I'm glad it was easy to do with that dokku plugin!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.