Adding domain without affecting current certificates


#1

What is the current recommended shell command for adding a certificate for a new domain on nginx without affecting any existing certificates for my old domains?

I currently have four running domains with certbot successfully maintaining and renewing them perfectly for over a year. About nine months ago, I added one new domain to my server but ended up invalidating my old certificates when trying to add the new site with certbot. That was utterly my fault for not correctly understanding the documentation, so I just want to be extra cautious now.

If I wanted to add two new subdomains, what is the correct path such that:

  1. valid certificates are created for the new subdomains,
  2. the new certificates are renewed automatically, and
  3. the existing certificates are not affected or continue to renew normally.

I’m using shell access on a Digital Ocean instance of Ubuntu 16.04.5 LTS running certbot 0.26.1 and nginx.

My current (slighted redacted) certificates are:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: redacted1.com
    Domains: redacted1.com www.redacted1.com
    Expiry Date: 2018-09-21 23:29:09+00:00 (VALID: 34 days)
    Certificate Path: /etc/letsencrypt/live/redacted1.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/redacted1.com/privkey.pem
  Certificate Name: subdomain1.redacted2.com
    Domains: subdomain1.redacted2.com
    Expiry Date: 2018-11-09 02:15:08+00:00 (VALID: 82 days)
    Certificate Path: /etc/letsencrypt/live/subdomain1.redacted2.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/subdomain1.redacted2.com/privkey.pem
  Certificate Name: subdomain2.redacted2.com
    Domains: subdomain2.redacted2.com
    Expiry Date: 2018-11-14 00:32:57+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/subdomain2.redacted2.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/subdomain2.redacted2.com/privkey.pem
  Certificate Name: subdomain3.redacted2.com
    Domains: subdomain3.redacted2.com
    Expiry Date: 2018-10-06 17:05:16+00:00 (VALID: 49 days)
    Certificate Path: /etc/letsencrypt/live/subdomain3.redacted2.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/subdomain3.redacted2.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The cron file I use for certbot renewal is this:

$ cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --nginx

#2

Hi @OsakaAndrew

there is no “recommendet shell command”. That is server-specific. Wildcard/non-wildcard, http-01 or old sni-01 (only renew, no new certificates), correct configuration or buggy configuration.

Normally, creating a new certificate with a new subdomain name should not have an effect.

But if the configuration is buggy, then it may crash. Additional redirects, wrong rewrite rules, blocked directories, wrong new dns-configuration (added ipv6 address).

So add your new subdomain, use your last command to create a new certificate. Perhaps use the test system first. Then you will see, if it works.


#3

Many thanks. I will try.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.