Adding SAN to a certificate

jfgodfrey · October 12, 2019, 3:06pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: spirit.org

I ran this command: cerbot --apache

It produced this output: A certificate for my website: https://www.spirit.org

My web server is (include version): apache2-2.4.25

The operating system my web server runs on is (include version): debian stretch

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

However, someone tried to connect to https://spirit.org, and got an error since I didn’t have that as a SAN. My question is, do I need to reissue the certificate with a SAN, or can I modify the one that I have, and if so, how would I do so.

Thanks for any help and or advice.

JuergenAuer · October 12, 2019, 3:29pm

Hi @jfgodfrey

do you have a correct vHost?

What says

apachectl -S

Add a

ServerAlias spirit.org

Then use

certbot certificates

to see your current certificate.

If the vHost is correct, use

certbot -d spirit.org -d www.spirit.org --cert-name [nameofyourcertificate]

to overwrite the existing certificate.

PS: Yep, there is a certificate with only the www version:

CN=www.spirit.org
	13.08.2019
	11.11.2019
expires in 30 days	www.spirit.org - 1 entry

jfgodfrey · October 12, 2019, 4:14pm

Juergen,
Your instructions were perfect! Followed the steps (learned in the process), and can now connect to https://spirit.org without certificate errors.

P.S. Like your ps, I wanted to know what cmd you ran to get your output?
thanks again!
john

JuergenAuer · October 12, 2019, 5:05pm

I've checked your domain with my online tool - https://check-your-website.server-daten.de/?q=spirit.org#certificates

It's the part of the certificates.

The tool is online, you can use it. Most ideas added are from this forum.

jfgodfrey · October 12, 2019, 6:30pm

Thanks Juergen! I appreciate your making your work available. Do you think I should somehow revoke the old certs, like the ones from startcom (no longer in business for certs, afaik)?

jfgodfrey · October 12, 2019, 7:51pm

Juergen, what’s your recommended way to enable TLS 1.2 for my setup?

Thanks!
john

JuergenAuer · October 12, 2019, 7:58pm

No, there is no need to revoke certificates if the private key isn't stolen.

The last check of your domain - there is Tls.1.2 enabled.

jfgodfrey · October 12, 2019, 8:24pm

You’re right. I think it was because I saw something in the test that was run about TLS 1.2. I’ll recheck.

system · November 11, 2019, 8:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.