Adding domains to and deleting domains from existing certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: enfeedia.com among others

I ran this command: sudo certbot renew --dry-run

It produced this output: --

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/enfeedia.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache

Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for enfeedia.com and 13 more domains
Performing the following challenges:
http-01 challenge for enfeedia.com
http-01 challenge for keligo.com
http-01 challenge for llgorman.com
http-01 challenge for packetstacks.com
http-01 challenge for saddlebrookeranch.org
http-01 challenge for sme62.org
http-01 challenge for storiesofpetsbypetsforpets.com
http-01 challenge for www.enfeedia.com
http-01 challenge for www.keligo.com
http-01 challenge for www.llgorman.com
http-01 challenge for www.packetstacks.com
http-01 challenge for www.saddlebrookeranch.org
http-01 challenge for www.sme62.org
http-01 challenge for www.storiesofpetsbypetsforpets.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/enfeedia.com/fullchain.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/sme62.org.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for sme62.org
Performing the following challenges:
http-01 challenge for sme62.org
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/sme62.org/fullchain.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/www.sme62.org.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for www.sme62.org
Performing the following challenges:
http-01 challenge for www.sme62.org

Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.sme62.org/fullchain.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all simulated renewals succeeded:

/etc/letsencrypt/live/enfeedia.com/fullchain.pem (success)
/etc/letsencrypt/live/sme62.org/fullchain.pem (success)
/etc/letsencrypt/live/www.sme62.org/fullchain.pem (success)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS Linux release 7.9.2009 (Core)

My hosting provider, if applicable, is: not relevant to question

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

I have certbot successfully installed for a number of domains, with and without
"www", e.g. example1.com, www.example1.com, example2.com, www.example2.com. and so on.

(1) How do I add more domains like the examples above. I'm extremely nervous of causing harm to my stable setup! :face_with_spiral_eyes:

(2) Can I add wildcard domains notwithstanding already having "www" domains, e.g., can I add *.example1.com even though I already have www.example1.com? Do I need to first delete www.example1.com

(3) How do I even add wildcard domains to the existing certificarte? I suspect the best thing is to point me to precise documentation to answer this.

(4) How do I delete selected domains? Ditto about pointing me to documentation.

(5) I don't understand why www.sme62.org was singled out to apparently re-do the challenge/verification given it's already in the list of domains.

(6) Instead of adding domains to the existing certificate, is it better, even possible, to create a new cert for the domain(s) to be added, all in same server/IP.

Thank you for your help on this. I'm obviously a novice on all things SSL and certs. And here I am contemplating additions/deletions of domains having customers happily presenting their websites to the world. Detailed instructions will be very much appreciated.

Are you speaking of multiple FQDNs on a single certificate?
Or multiple certificates?

Seems to have only 2 FQDNs on its certificate

  1. enfeedia.com
  2. www.enfeedia.com

These are the certificates that have been requested

3 Likes

Do you require the use of one single cert?

Please show:
certbot certificates

4 Likes

Under a single certificate.

But I'm also wondering (and believing) I can have multiple certificates on a single server/IP. In which case I would necessarily(?) have multiple FQDNs.

In fact, you are saying enfeedia.com and www.enfeedia.com two different FQDNS. And every domain listed for the certificate are different FQDNs. Am I understanding this correctly?

That is correct.

4 Likes

Any explanation for why sme62.org and www.sme62.org got special treatment, so to speak? Why did it apparently have to go through the challenge/verify process twice? This is the first time I've seen that, and I do manual renewal watching the process every time.

Show us that output and we can better understand what is going on.

4 Likes

I do not require a single cert, but that's how it's set up. I think the only benefit is keeping all those sites certs renewed in one fell swoop.

Is there a disadvantage? One I can think of is that there are several domains I no longer need but I have to delete them from the cert to stop paying for a now-useless domain.

I have two new domains that need to either have their own certs or be included in the current one. That's the reason for my inquiring about adding and deleting to the current cert.

The primary FQDN is the CN (Common Name), the primary FQDN and all the other FQDN need to be in the SAN (Subject Alternative Name).

Yes:
It increases the difficulty of managing the certs.
Anytime you need to add, or delete, a name from it, you must issue a new cert.
[so that doesn't really lessen the amount of issued certs]

And it literally puts all your (cert) eggs into one basket - unnecessary risk.

4 Likes

Ahhh, it looks like sme62.org and www.sme62.org ALSO have their own certificates. I don't recall taking any action that would have caused it. To the best of my knowledge, they were in that one cert from the beginning. They are in the Enfeedia certificate. Two certs for the same FQDN, two cases thereof?

Certificate Name: enfeedia.com
Serial Number: 423397c545bd0bd96b82d002308664f4842
Key Type: RSA
Domains: enfeedia.com keligo.com llgorman.com packetstacks.com saddlebrookeranch.org sme62.org storiesofpetsbypetsforpets.com www.enfeedia.com www.keligo.com www.llgorman.com www.packetstacks.com www.saddlebrookeranch.org www.sme62.org www.storiesofpetsbypetsforpets.com
Expiry Date: 2022-11-25 13:03:11+00:00 (VALID: 83 days)
Certificate Path: /etc/letsencrypt/live/enfeedia.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/enfeedia.com/privkey.pem
Certificate Name: sme62.org
Serial Number: 473a383930b8c8640742bb85bcc1520cd12
Key Type: RSA
Domains: sme62.org
Expiry Date: 2022-11-27 15:36:15+00:00 (VALID: 85 days)
Certificate Path: /etc/letsencrypt/live/sme62.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sme62.org/privkey.pem
Certificate Name: www.sme62.org
Serial Number: 4524d9f4c8fdd3b61b6d7f2d51771bb3a09
Key Type: RSA
Domains: www.sme62.org
Expiry Date: 2022-11-27 15:35:24+00:00 (VALID: 85 days)
Certificate Path: /etc/letsencrypt/live/www.sme62.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.sme62.org/privkey.pem

And they still are.
But they now also have their own separate certs.

4 Likes

Is that good or bad or doesn't matter?

Just a thought experiment -- If I deleted/removed their own separate certs, would things continue to run as normal, because they are in the enfeedia cert?

It's definitely confused/confusing, so, I'd have to say NOT good.

That depends.
If they are being used and you delete them, then things may break.
So, first make sure you are not using anything you plan on deleting.

4 Likes

I'm hoping someone can point me to the detailed authoritative instructions, hopefully with examples, as to

  1. Adding a domain to an existing cert
  2. Deleting a domain from an existing cert
  3. Adding a wildcard domain, e.g. membership.example.com where the www version is already in the cert. Do I have to delete the www version first?

I'm deadly afraid of screwing this up and not knowing how to unwind an error I might have made. I need to delete some because they are not used but I will need to keep paying for the domain to avoid falling into a deep hole.

See:
https://eff-certbot.readthedocs.io/en/stable/using.html

A1. --expand
A2. --allow-subset-of-names
A3. A wildcard entry in an FQDN will cover all possible entries for that field.
So, yes, "*.example.com" will conflict with "www.example.com" - since they both have 3 fields.
[but "*.example.com" won't conflict with "www.sub.example.com" - different number of fields]

4 Likes

Nice tight answer. :slight_smile: Much appreciated.

I assume there is nothing about my letsencrypt account that disallows me including wildcard domains. I vaguely recall the free membership did not support getting certs for wildcard domains. Comments?

1 Like

All accounts can get wildcard certs.
But they do require DNS-01 authentication - which is quite different (and more complicated) than HTTP-01 authentication.

5 Likes

Let's Encrypt does not have memberships and only offers free certificates, including wildcard certs.

6 Likes

Thanks! I guess that’s why it was vague. ;/

Something in my memory about not being able to get wild card domains, but it’s great to hear my memory sucks.

2 Likes