Adding a New Domain name to existing Cert


#1

Hello,

I am new to this world, but have successfully obtained a certificate for my flying club’s new domain. Now they tell me they want to keep the old one as well. So I tried expanding my current certificate to add the old domain, but get this:

Domain: www.[name redacted].co.uk
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found ‘’

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

The DNS A records are correct, BTW.

Reading post here it says add it as a SAN, but does not tell me how to do this. I followed some instructions on the Web, but the “openssl req” command never exited! always the > prompt and the post did not say how you send the request! The command was this:

openssl req
-new -newkey rsa:2048 -sha256 -nodes
-keyout privkey1.pem -out signreq.der -outform der
-subj "/C=UK/ST=Leicestershire/L=Saltby/O=[REDACTED]/emailaddress=[REDACTED]/CN=[REDACTED]
-reqexts SAN

So I am stuck, can anyone help me please?

Cheers, Clock.


#2

Look, in the DNS Zone you have the ‘root’ A Address, usually a non-named entry like:
@ A

Usually this entry is different of the ‘www’ entry:
www A

I think your problem resides on that, whenever you ask for a cert, like: 'subdomain.flyingclub.com
You must assure that the returning IP Address matches the machine that is actually asking for the Certificate:
So basically, if you a had a Certificate for ‘www.flyingclub.com’:
www A 1.2.3.4
subdomain A 1.2.3.4

Hope this helps you,
felco


#3

Thanks for the reply.

Are you talking about my /etc/hosts file?
I do not have a entry in there for the old domain just now.

I do have an AliasServerName in my Apache SSL config file for the old domain

I have one domain - lets call it flying-club.co.uk that I have certified and the club want me to add the old domain name say old-flying-club.co.uk to the certificate.

Personally, I don’t want to do this - its a lot of hassle just so they keep an old domain name that does not mean much, but I have been asked to do it so I have to try.

The other alternative someone suggested is to have two certificates for the two domains, then have two entries in my 000-default-le-ssl.conf file, is this a solution or not? What I don’t want is insecure access to the server as it is not only the website, but also a cloud server, mail server and SMS text server, so it must be secure.

Regards, Clock.


#4

Hi Clock, the idea is to re-run the client with letsencrypt certonly (or letsencrypt-auto certonly if you installed it in a way that requires letsencrypt-auto) and supply -d for every name that should be a part of the new cert (not just the ones that are new or different, but the complete list of what you want to be in the new cert).

This will make a fresh cert request to the CA, but it should also notice that you have an existing cert with a subset of those names, and ask you whether you would like to replace that cert with the new one. If you say yes, it should be replaced with the new, more comprehensive cert. You should not need to use openssl req at all (unless you also used it to make a CSR file when you originally got your first cert).


#5

Thank you - I will give it a try later…

Cheers, Clock.


#6

I forgot to post, everything now sorted, thanks.

I am getting emails that say m certificates have not been renewed when they have, this is a little disturbing. I have found a thread for this problem, so I guess you know about it!

Cheers, Clock.