Adding Domains to existing Certificate using SAN?

LuB · December 9, 2019, 1:07am

Hello,

I am trying to add about 24 domains to an existing certificate; all of these domains point to the same site(as in hosted files), so I figure using SANs(Subject Alternate Names) is the way to go.

Am i headed in the right direction? What commands do I use?

I have searched the documentation and cannot find much about SAN and how to add domains to existing certificates.

Thank you for any help, details below:

My domain with a currently valid and working SSL cert is: visitorcentre.com.au
An example domain I want to add it too is: bestofvictoria.com.au

My web server is (include version): Ubuntu1804

The operating system my web server runs on is (include version): Not sure, Linux?

My hosting provider, if applicable, is: Onsite at my office

I can login to a root shell on my machine (yes or no, or I don’t know): No, but I have SSH admin account.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

_az · December 9, 2019, 1:21am

There’s a bit of info here: https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains

Since your web server is Apache, taking the example from the link above, you will probably want to replace the certonly part of the command with --apache.

So your final command would look something like:

certbot --apache --cert-name visitorcentre.com.au \
-d visitorcentre.com.au -d www.visitorcentre.com.au \
-d bestofvictoria.com.au -d www.bestofvictoria.com.au

You need to list every single SAN you want to appear on the certificate - not just the ones you’re adding.

Before you run the above, could you help confirm some information about your environment, to ensure that this is the right approach?

certbot certificates
grep -E "(authenticator|installer)" /etc/letsencrypt/renewal/visitorcentre.com.au.conf

LuB · December 9, 2019, 2:19am

Thanks so much!

I will get back to you soon; I just attempted to run the certboy certificates command and it seems I need root access, which I don’t currently have. I will get back to you as soon as I have it!

Thanks heaps!

LuB · December 9, 2019, 3:04am

Okay, I have root access. I ran the following Command:

certbot certificates

And got this output:

root@Ubuntu1804:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/iconcierge.net.au.conf produ                             ced an unexpected error: expected /etc/letsencrypt/live/iconcierge.net.au/cert.p                             em to be a symlink. Skipping.
Revocation status for /etc/letsencrypt/live/apps.itourism.com.au/cert.pem is unk                             nown

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: apps.itourism.com.au
Domains: apps.itourism.com.au
Expiry Date: 2019-10-07 06:04:03+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/apps.itourism.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/apps.itourism.com.au/privkey.pem
~|~ [redacted(just had other domains here id prefer to keep private)] ~|~
Certificate Name: iconcierge.net.au-0002
Domains: *.iconcierge.net.au apps.itourism.com.au
Expiry Date: 2020-01-12 01:18:41+00:00 (VALID: 33 days)
Certificate Path: /etc/letsencrypt/live/iconcierge.net.au-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/iconcierge.net.au-0002/privkey.pem
  Certificate Name: visitorcentre.com.au
    Domains: visitorcentre.com.au www.visitorcentre.com.au
    Expiry Date: 2020-02-25 06:09:57+00:00 (VALID: 78 days)
    Certificate Path: /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/visitorcentre.com.au/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/iconcierge.net.au.conf

And then I ran:

grep -E "(authenticator|installer)" /etc/letsencrypt/renewal/visitorcentre.com.au.conf

And got this output:

installer = apache
authenticator = apache

Thanks for the help! I am out of my depth with this stuff(just a basic php developer, not experience with ubuntu)!

_az · December 9, 2019, 4:27am

Looks good. The command I suggested earlier should work for your purposes.

As I described earlier, you'll need to extend the command with -d example.org -d www.example.org for all 24 domains that point to the same site.

It may be prudent to take a backup of your Apache configuration, so that you have some ability to roll back, if the effect is not the one you wanted.

tar zcf /root/apache-backup-$(date "+%s").tar.gz /etc/apache2

rg305 · December 9, 2019, 4:55am

These look concerning:

Please show:
ls -l /etc/letsencrypt/live/iconcierge.net.au/
grep -R /etc/letsencrypt/live/apps.itourism.com.au/privkey.pem /etc/apache2/

LuB · December 9, 2019, 5:05am

Firstly, _az, that worked perfectly as expected. I have only done 1 domain(so if anything breaks it doesn’t effect too much). I will do the other domains tomorrow.
Thank you so much, your help is indispensable.

rg305.

First command:

ls -l /etc/letsencrypt/live/iconcierge.net.au/

Result:

total 4
lrwxrwxrwx 1 root    root      41 Oct 14 02:13 cert_old.pem -> ../../archive/iconcierge.net.au/cert7.pem
lrwxrwxrwx 1 root    root      42 Oct 14 02:13 chain_old.pem -> ../../archive/iconcierge.net.au/chain7.pem
lrwxrwxrwx 1 root    root      46 Oct 14 02:13 fullchain_old.pem -> ../../archive/iconcierge.net.au/fullchain7.pem
lrwxrwxrwx 1 root    root      44 Oct 14 02:13 privkey_old.pem -> ../../archive/iconcierge.net.au/privkey7.pem
-rwxrwxrwx 1 abraham www-data 692 Jul  9 07:02 README

Command

grep -R /etc/letsencrypt/live/apps.itourism.com.au/privkey.pem /etc/apache2/

Result:

grep: /etc/apache2/sites-enabled/https.conf: No such file or directory

I hope this makes sense to someone, coz it don’t make no sense to me! :S

Thanks heaps for the help, both of you!

rg305 · December 9, 2019, 6:37am

Why do all the files in the /live/ folder have _old in them?

No, this isn’t making much sense… (yet).

Please show:
ls -l /etc/apache2/sites-enabled/

LuB · December 10, 2019, 1:15am

Sure thing mate!

I ran:

ls -l /etc/apache2/sites-enabled/

Output:

total 0
lrwxrwxrwx 1 root root 28 Feb  7  2019 http.conf -> ../sites-available/http.conf
lrwxrwxrwx 1 root root 29 Feb  7  2019 https.conf -> ../sites-available/https.conf

No idea why they have _old in them, this was all setup by someone else

Thanks heaps for the help. About to add another 8 domains to my certificate… hope it goes well.

LuB · December 10, 2019, 4:27am

Okay, all domains are added! Thanks so much!

Is this _old thing and the few errors I posted earlier something I should worry about?

system · January 9, 2020, 4:27am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.