Add new domain to certificate


#1

Hi all,

First of all sorry for rather long post!

Did have a look through the forums on this particular issue am having, which is how do i go about adding a new domain thats been added as an additional alias in the vhost config, the server is apache based.

Both domains (existingdomain.com & newdomain.com) are publicly available with dns pointing to same box where their hosted on.
With separate landing pages working also over http/https but 301 redirects setup in vhost for each.

I have tried;

certbot --expand -d existingdomain.com -d newdomain.com

sudo@Bot:/# certbot --expand -d existingdomain.com -d newdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for existingdomain.com
tls-sni-01 challenge for newdomain.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. newdomain.com (tls-sni-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for newdomain.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: newdomain.com
    Type: None
    Detail: DNS problem: SERVFAIL looking up CAA for newdomain.com
    sudo@Bot:/#

Or even trying with
certbot --webroot -w /path/to/existingdomain.com/html certonly -d existingdomain.com -d newdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/existingdomain.com.conf)

It contains these names: existingdomain.com

You requested these names for the new certificate: existingdomain.com,
newdomain.com.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel:

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for existingdomain.com
http-01 challenge for newdomain.com
Using the webroot path /home/webmaster/existingdomain.com for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. newdomain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://newdomain.com/.well-known/acme-challenge/SVBo3TUxlCgznZzNeJNYgrQdyKHl78C_OM4mve3EeF4 [213.142.225.76]: 500

IMPORTANT NOTES:

from: /var/log/letsencrypt/letsencrypt.log
2018-11-22 11:06:48,633:DEBUG:certbot.main:Root logging level set at 20
2018-11-22 11:06:48,634:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-11-22 11:06:48,634:DEBUG:certbot.main:certbot version: 0.10.2
2018-11-22 11:06:48,634:DEBUG:certbot.main:Arguments: [’–webroot’, ‘-w’, ‘/path/to/existingdomain.com/html’, ‘-d’, ‘existingdomain.com’, ‘-d’, ‘newdomain.com’]
2018-11-22 11:06:48,635:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2018-11-22 11:06:48,635:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-11-22 11:06:48,635:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f110e8fa990>
Prep: True
2018-11-22 11:06:48,636:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f110e8fa990> and installer None
2018-11-22 11:06:48,639:DEBUG:certbot.main:Picked account: <Account(238a0839c7222adafe----------)>
2018-11-22 11:06:48,640:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-11-22 11:06:48,643:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org


#2

Hi @aleon

the tls-sni-01 - challenge is deprecated, support ends 2019-02-13. You can’t use it with a new domain, so it’s impossible that such a command works.

is better, but to check your configuration: What’s your domain names?


#3

I also recommend feeding your domain into https://letsdebug.net as it can be really useful to diagnose problems.


#4

Hi guys,

Thanks for your input, much appreciated.

I have pm’ed you Juergen on the site sin questions.

Will try letsdebug, interesting site thanks.


#5

All OK!

OK

No issues were found with ----------------------. If you are having problems with creating an SSL certificate, please visit the Let’s Encrypt Community forums and post a question there.

:smile:

Well here I am asking :slight_smile:


#6

Sorry, we’ll need your real domain name to help. Usually domains are not really confidential as all anyone can really do is visit the website.


#7

Thanks, got your DM. If you look at the verbose output of letsdebug.net you’ll see your previous failed authorization as a 403 unauthorized, and if I try it manually I get an error 500 ‘Sorry, our script crashed. Oh dear’

I think your content management system/app is not allowing requests through to the /.well-known/acme-challenge path. You can test this by putting your own (extensionless) text file at that path in your website, then see if you can browse to that file. Once you can browse to a file you create at that path, your challenges will probably also start working.


#8

FWIW this is not an indication of a problem, which is why I hid it under “verbose”.

But the rest of your post seems like good advice - OP should check the webroot.


#9

Thanks for prompt response :slight_smile:
Am not sure if i am following you on the 2nd part of your suggestion but i get: “Sorry, our script crashed. Oh dear”

When browsing the domainname1/test1 but on domainname2/test1 get the proverbial site not secure warnings!

the content of test1 is just some words…

So 500 error i am getting is the issue here?


#10

OK i think i solved the error 500 on the file now.

had this on my .htaccess file

Header set Access-Control-Allow-Origin: https://olddomain https://newdomain

So just commented this out for now, as I added newdomain to this line while trying to add domain as my original post.


#11

That worked!!!

(E)xpand/©ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for existingdomain.com
http-01 challenge for newdomain.com
Using the webroot path /home/webmaster/existingdomain.com for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0096_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0096_csr-certbot.pem

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/existingdomain.com/fullchain.pem. Your cert
    will expire on 2019-02-21. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot again. To
    non-interactively renew all of your certificates, run “certbot
    renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#12

Thanks. Looks like the problem is now solved.

There is a new LE certificate created today :wink:


#13

Thanks for your advise :slight_smile:

Now todo same on Nginx now… its Friday I think i give it a rest and not break anything.


#14

Hi all,

Just revisiting this as not sure autor-renewal of certficate will work now.

So I expanded the certificate for existing certificate to include a new name int he SAN (subject alternative names) using:

certbot --webroot -w /path/to/existingdomain.com/html certonly -d existingdomain.com -d newdomain.com

Does that mean the auto-renewal for this sites set in apache2 will not auto renewal?