Add new domain in existing Certicate

mustafaozaslan · February 17, 2021, 6:42am

I added new subdomains to my existing certificate. I see also in Logs of crt.sh with id crt.sh | 4087745049 it is accepted. But in my browser i am getting still for example for https://www.omb-it.com not secure warning. can you please help me about the issue.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:omb-it.com

I ran this command: sudo certbot certonly --standalone --cert-name mail.omb-it.com -d mail.omb-it.com -d www.omb-it.com -d omb-it.com

It produced this output: You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mail.omb-it.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.omb-it.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.omb-it.com/privkey.pem
Your cert will expire on 2021-05-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS bionic

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.31.0

Osiris · February 17, 2021, 7:14am

Please note:

Replacing the certificate with exactly the same certificate is not going to do anything if it previously also didn't do anything. This is only adding more load to the Let's Encrypt systems.

In any case, did you expand an existing certificate when you first got your new cert with the added domains? Or did you get a whole different cert next to the one already existing? You can check with certbot certificates.

If you expanded the cert, it might be as simple as reloading your webserver to load the new cert into memory. If you got a second cert, you might need to install it manually into your webserver.

griffin · February 17, 2021, 7:27am

Welcome to the Let's Encrypt Community, Mustafa

If you did actually install your new certificate, you probably just need to reload your webserver. You can use the command I've provided below to update your certificate properly.

sudo certbot certonly --cert-name mail.omb-it.com --standalone -d "omb-it.com,www.omb-it.com,mail.omb-it.com" --deploy-hook "sudo nginx -s reload" --force-renewal

mustafaozaslan · February 17, 2021, 7:27am

Hello griffin,

thanks for your fast reply.
after reloading nginx my problem was solved.
Thank you so much.

I have another question about my certificate.
My certificate issued to mail.omb-it.com is it possible to change it to www.omb-it.com .
How can i do that?
thanks again.

griffin · February 17, 2021, 7:32am

Yep.

sudo certbot certonly --cert-name www.omb-it.com --standalone -d "www.omb-it.com,omb-it.com,mail.omb-it.com" --deploy-hook "sudo nginx -s reload"

Keep in mind that you'll need to update your nginx server configuration files to reference www.omb-it.com as the folder where your certificate and key are located rather than mail.omb-it.com.

Use this once you finish updating your configuration files:

sudo nginx -s reload

You can then use this to find the names of your unneeded certificates:

sudo certbot certificates

Then this to delete them:

sudo certbot delete --cert-name thenamehere

mustafaozaslan · February 17, 2021, 7:39am

Hello griffin,

you are grate.
thank you for your support.

griffin · February 17, 2021, 7:40am

Hope everything works great for you.

If you run into any further trouble, you know where to find us.