Adding domain to same certificate screws up certificate on BOTH domains

We had a working SSL connection on We’d like to use the same cert on both these domains:

So we issued this command:

certbot certonly --cert-name --renew-by-default -a webroot -n --expand --webroot-path=/home/bsc -d

Now both domains are showing an error. What did we do wrongly? The behavior we’d like is that if any of those domains are typed in the browser, we’d like the user to be taken to<request path>. Thanks.

It's necessary to list all the names you want the new certificate to include. You should run something like:

certbot certonly --cert-name -a webroot -n --expand --webroot-path=/home/bsc -d -d -d -d

(If you also want to include the www subdomains.)

(--renew-by-default, also known by its newer name --force-renewal, isn't needed for this. It's just for renewing certificates unnecessarily. You're adding new names, which is different.) is using a certificate for right now, probably because of the certbot command you ran. is using a certificate for I'm not sure why. It may be the default certificate if there isn't a server block with a matching server_name.

Could you paste "certbot certificates" and "nginx -T"?


Thank you. Yes, I’m sure I was running some wrong command. Could I just remove the certificates for baystreet* and then start afresh?

Anyway, the two commands you requested:

certbot certificates (and yes, shanx dot com is the default server block)

Certificate Name:
    Expiry Date: 2018-08-11 23:16:19+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/

Certificate Name:
    Expiry Date: 2018-08-11 23:13:10+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/


nginx -T (just the blocks referring to these two domains?)

#  BSC Bay Street Clinic 
server {
    server_name  ;
   return 301$request_uri;
server {
    listen 443  ssl  http2  ;   
    listen [::]:443 ssl http2 ;

    root /home/bsc;

    ssl_certificate       /etc/letsencrypt/live/;
    ssl_certificate_key   /etc/letsencrypt/live/;

    include common.conf;
    include ssl.conf;

    error_page 404 403 500 502 503 504 /40x.htm;
    location = /40x.htm { root /home/bsc; allow all; }

I can the command you suggested, and now seems to be working, but the .ca is pointing to the default server. Also the still points to the default server too?

You could add the other hostnames in the server_name line. I think that will explain to nginx that you want it to use that port 443 server block (including the certificate) for all of the hostnames, not just for itself).

1 Like

Thank you. I just deleted all certs related to all domains, and then ran this command:

certbot certonly -a webroot --expand --webroot-path=/home/bsc -d -d -d -d

Now it works. Thank you so much.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.