Adding domains to current certificate

Hey everyone,

I have a CentOS7 server with nginx running. I have two domains on a certificate currently and want to add an additional two domains now at a later date. How can I add them in?

I have tried running -expand as specified in the documentation:

certbot --expand -d current.net -d blog.current.net -d www.current.net -d newdomain.io -d www.newdomain.io

of which it returns the following error:

Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

I’ve also tried creating a new certificate for just the new domains.

sudo certbot certonly -d newdomain.io -d www.newdomain.io

Which seems to be working but I noticed when it goes through the certification it returns

Renewal conf file /etc/letsencrypt/renewal/newdomain.io.conf is broken. Skipping.

and after relaunching nginx nothing seems to have changed.

I’m a little stumped here, I thought -expand would be the way to go but it doesn’t look like it will let me run it.

Thank you in advance!

Hi @user1034934234,

Could you post the contents of the file that Certbot is saying is broken?

@schoen So I should be ignoring/not worrying about running the -expand option?

Okay, so I tried opening the file, and no wonder it's broken. It had no contents in the file at all, i'm not sure why that is? I did also notice that there was a newdomain.io-0001.conf file as well. This one has contents inside of it and I will paste them below:

`# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/newdomain.io-0001/cert.pem
privkey = /etc/letsencrypt/live/newdomain.io-0001/privkey.pem
chain = /etc/letsencrypt/live/newdomain.io-0001/chain.pem
fullchain = /etc/letsencrypt/live/newdomain.io-0001/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 62f3099187531d92b9c15bd17ebc7872
[[webroot_map]]
newdomain.io = /var/www/newdomain.io/html
www.newdomain.io = /var/www/newdomain.io/html `

Okay, I tried copying the contents from the -0001.conf to the empty one.
I then ran the above command with no errors and it showed success. I reloaded nginx and still showing not secure for the domain.

The contents of newdomain.io.conf file are below (I just removed the -0001 from the path names):

`# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/newdomain.io/cert.pem
privkey = /etc/letsencrypt/live/newdomain.io/privkey.pem
chain = /etc/letsencrypt/live/newdomain.io/chain.pem
fullchain = /etc/letsencrypt/live/newdomain.io/fullchain.pem

Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 62f3099187531d92b9c15bd17ebc7872
[[webroot_map]]
newdomain.io = /var/www/newdomain.io/html
www.newdomain.io = /var/www/newdomain.io/html `

That is going to horribly confuse Certbot unless you also removed the -0001 everywhere that it appeared (which maybe is what you were saying that you did—I'm not sure whether you meant that you removed it in the file itself or just in the version that you posted here).

Basically the

Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

is the most likely explanation for the fact that your new domain still doesn't appear in HTTPS. Configuring nginx to use a certificate is a separate, independent step from obtaining the certificate. (When you obtain the certificate, it's just a file on disk and nginx doesn't know about it—even if you configured it in one virtual host, nginx doesn't automatically realize that it should be used for other virtual hosts too!) So, you would need to edit your virtual host configuration for the insecure host to point it at this certificate in the way that you may have done with your original certificate.

Because of the issue about the -0001, I would suggest running certbot certificates to see which certificates you have and see if they match up with your expectations, as well as whether one or both is actually used by nginx. You can potentially delete the one that isn't the one that you wanted, in order to reduce future potential confusion (the recommended way is to use certbot delete, after using a grep -r in /etc/nginx to make sure that there are no references to the certificate that you're planning to delete).

@schoen Thanks for the help!

Regarding the 0001.conf and possible confusion. Yes, that is what I was trying to say I did. I deleted the 0001.conf file and moved the contents to the empty one and removed the -0001 from everywhere.

I have tried running certbot certificates but it is returning:
certbot: error: unrecognized arguments: certificates :confused:

What you are saying does make sense though and I have made some progress!
Within my /etc/nginx/conf.d path I have a ssl.conf file.
I have added in my new domain to the server_name and voila it is now showing up as secured!
Buttt, there is one issue still. When I load the new domain although it is secured it is showing the content of the other domains.
When I look inside the ssl.conf I see in the server block for the root path, ssl_certificate and ssl_certificate_key it is set to the other domain. Is it possible to add two paths?

Below is the content within ssl.conf domains have been changed to olddomain and newdomain

server {
listen 443 http2 ssl;

    server_name olddomain.net www.olddomain.net olddomain.ca www.olddomain.ca newdomain.io www.newdomain.io;

    ssl_certificate /etc/letsencrypt/live/olddomain.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/olddomain.net/privkey.pem;

    ########################################################################
    # from https://cipherli.st/                                            #
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
    ########################################################################

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ##################################
    # END https://cipherli.st/ BLOCK #f
    ##################################

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    location ~ /.well-known {
            allow all;
    }

    # The rest of your server block
    root /var/www/olddomain.net/html;
    index index.php index.html index.htm;

    location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}

}

Thanks again for the help @schoen :slight_smile:

In that case you have a pretty old Certbot, which might also explain why it can't install this certificate in nginx for you.

It looks like what you did was to combine all of your virtual hosts into one configuration stanza (that server { ... block inside your ssl.conf file that you posted).

In order to have domains show different content, they need to be the subjects of separate server { directives in nginx. That is true even if they are HTTPS sites and even if they are covered by the same certificate. You would need to make one server block for the old domain and a separate server block for the new domain, while both can point to the same fullchain.pem and privkey.pem file if your certificate now covers both domains. Then, the other directives such as root that tell nginx where to look for the site content can be different between one server and another.

There are more advanced nginx configuration techniques that could in principle allow only a single server block (where there would be conditional directives that change the document root according to what domain name was accessed), but I would not suggest trying to figure any of that stuff out, but instead simply making separate server blocks for each separate domain with separate content.

nginx is able to figure out which server block is applicable to a particular inbound connection on the basis of the specified hostname (in SNI for HTTPS or using the Host: header for HTTP) even when the various server blocks request listening on the same port number and same IP address.

Okay, great!
So I can duplicate that full block above and place it under the initial block within the same ssl.conf file and that should do the trick? Will try when I get home to see if it worked, just wanted to confirm that I am understanding it correctly.

Thanks :slight_smile:

It’s become more fashionable to put the server blogs in separate files because it makes it easier to enable and disable individual sites and to see which sites you have (particularly on servers that may host dozens or hundreds of different sites). But yes!

Of course, you need to make the root point to the document root for the other document, or apply any other configuration directives that make the domains’ behavior different from one another.

Also, we’re wondering about the reason for the empty renewal configuration file. If you don’t know why it was empty, would you be willing to share your logs from /var/log/letsencrypt in case they might reveal the reason?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.