Adding SAN to a certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: spirit.org

I ran this command: cerbot --apache

It produced this output: A certificate for my website: https://www.spirit.org

My web server is (include version): apache2-2.4.25

The operating system my web server runs on is (include version): debian stretch

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

However, someone tried to connect to https://spirit.org, and got an error since I didn’t have that as a SAN. My question is, do I need to reissue the certificate with a SAN, or can I modify the one that I have, and if so, how would I do so.

Thanks for any help and or advice.

Hi @jfgodfrey

do you have a correct vHost?

What says

apachectl -S

Add a

ServerAlias spirit.org

Then use

certbot certificates

to see your current certificate.

If the vHost is correct, use

certbot -d spirit.org -d www.spirit.org --cert-name [nameofyourcertificate]

to overwrite the existing certificate.

PS: Yep, there is a certificate with only the www version:

CN=www.spirit.org
	13.08.2019
	11.11.2019
expires in 30 days	www.spirit.org - 1 entry

Juergen,
Your instructions were perfect! Followed the steps (learned in the process), and can now connect to https://spirit.org without certificate errors.

P.S. Like your ps, I wanted to know what cmd you ran to get your output?
thanks again!
john

1 Like

I’ve checked your domain with my online tool - https://check-your-website.server-daten.de/?q=spirit.org#certificates

It’s the part of the certificates.

The tool is online, you can use it. Most ideas added are from this forum.

Thanks Juergen! I appreciate your making your work available. Do you think I should somehow revoke the old certs, like the ones from startcom (no longer in business for certs, afaik)?

Juergen, what’s your recommended way to enable TLS 1.2 for my setup?

Thanks!
john

No, there is no need to revoke certificates if the private key isn’t stolen.

The last check of your domain - there is Tls.1.2 enabled.

You’re right. I think it was because I saw something in the test that was run about TLS 1.2. I’ll recheck.