Adding and removing domains from certificate


#1

My domain is: too many to list

I ran this command:
Have never run it can only see previous script that has manually been run by tech

It produced this output:
Have never run it can only see previous script that ran and the contents of script (listed below)

~/acme.sh/acme.sh --issue -d mx.example.com --dns dns_cf -d example.domain.sg --challenge-alias mx.example.com --dns dns_cf -d mail.something.com --challenge-alias mx.example.com --dns dns_cf -d mail.anotherdomain.com --challenge-alias mx.example.com --dns dns_cf -d webmail.moredomains.com --challenge-alias mx.example.com

My web server is (include version):
?
The operating system my web server runs on is (include version):
running scriptoria ssh from centOS

My hosting provider, if applicable, is:
multiple DNS hosts - it is a single SSL with alternative names for the other domains

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
Using Neilpang/acme.sh script not certbot

Two questions if anyone could help

We have a cert with a primary DNS name that then lists all our other completely different domains as alternative DNS names, the renewal is due for this within the week, some domains we wish to remove and some domains we wish to add.
Is it simply a case of adding these new domain names to the acme script ? All the domains have a DNS alias to the main mail routing domain which has cloud flare api setup
Or do i somehow need to create a new SSL ? Which i do not know how to do currently (is it through cloud flare?)

main domain for email is connected via cloudlfare api
all other domains use DNS alias challenge acme
Any help would be great and most appreciated


#2

I believe you just need to add them to the command you pasted above - from a quick test, it seems that acme.sh takes the certificate name from the first domain listed, so if that stays the same, the existing certificate will be overwritten with a new one the new list of domains (with domains added/removed as you want). I guess you’ll also want to continue the pattern of repeating the --challenge-alias mx.example.com and --dns dns_cf options for each new domain (I don’t know if it’s necessary or not, but it seems to have worked for you before…)

acme.sh should automatically renew your certificate 30 days before it expires - but of course that would fail if the DNS aliases for some of the names on the certificate are no longer pointed at your server.


#3

Thankyou jmorahan, it hasn’t auto updated i believe because its not CRONd to run and it also involves third party software (kerio connect mail server)
First domain will never change so thats a big tick for me.
Some of the domains are standalone so perhaps yes its failing but until today havnt dug as deep in, is there a log file in acme.sh/ ?
I didn’t set it up and am trying to get my head around it, i understand the challenge alias so comfy with that (converting some standalone domains (that need port 80 open) to alias as i type) but I’m unsure about the cloud flare api side and its automation - also the replacement of the ssl cert within the service / server - i don’t wish to override something in there that might be required … Im sure I’m over complicating this however we have 9 different domains and 190 users on the mail host and so I’m very very tentative to cause connectivity issues


#4

Yes but it’s disabled by default (I just discovered this…) - use --log to enable it

I don’t think you need to worry too much about Cloudflare; if it’s already set up and working for the existing domains using DNS alias mode, it should work for the new ones in the same way.

Here’s the documentation for acme.sh’s DNS alias mode. Looks like you don’t need to repeat the --challenge-alias mx.example.com and --dns dns_cf options for each domain after all.

I don’t know anything about kerio connect mail server so I can’t help you there, sorry.

Back up the whole acme.sh directory before experimenting, if you’re worried about breaking something…


#5

Will i need to do --issue ? or --renew ? considering I’m adding more domains and to remove a domain i don’t want would it be right to just not have it in the script ? Is there a way of testing what it will do (pass or fail) ? I’m used to rsync and being able to pre test a script if you know how i can test without forcing a new cert live that would be awesome !


#6

--renew will try to renew the cert (and all the names in it)
--issue will try to get a new cert with the following names.

If you do end up issuing any new certs (sounds like you will), you may need to do some clean-up and remove any unused/unwanted certs soon thereafter.
For that, start with:
./acme.sh --list


#7

thankyou rg305 can i do ./acme.sh --list prior to this ? will it damage anything ?


#8

It can be done at any time.
It will simply list all the certs, the domains they cover, their creation dates, key-lengths, and next scheduled renewal attempt dates.

If you want to format that output for simpler importing directly into a spreadsheet, you can use:
./acme.sh --list --listraw
[field delimited with “|”]


#9

Thankyou RG i have one other question if i can - say one of the hosts has an existing legit cpanel ssl (not letsencrypt) on their domain and the mx record is on the root domain “maildomain.com” no sub domain can we a) add the naked domain to the renewal like --dns dns_cf -d maildomain.com --challenge-alias mx.master.com.au
and b will it fuck up the cert https://maildomain.com on the cpanel (has its own ssl) or have some horrid mismatching


#10

The acme.sh client will only get and renew certs - it will not make any other changes (by default).
So, yes, you can probably get a new cert with that command.
How that new cert integrates with cPanel, or your mail system, is a completely separate question.
I don’t know how either is setup in your system, so there is no way to give concrete advice.
That said, there are some known best practices and some known gotchas.
Like: It is generally recommended to use cPanel to obtain certs for systems it “controls”.


closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.