Adding subdomains doesn't change configuration


#1

Hi and at first: a big THANKS for your service !

Ok, I validated www.metal3d.org and metal3d.org and it worked like a charm. Later, I needed to add examples.metal3d.org so I relaunched the command addind “examples” subdomain in the command line.

Client says that I already have configuration and certificates and asked me if I’m ok to overwrite them. I confirmed and the certificates are recreating. My subdomain is now working.

But, I reopened /etc/letsencrypt/renewal/metal3d.org.conf and see that “examples” subdomain was not added. I added it manually but… will this working when I will renew certificates ?

Thanks.


#2

I’m in the same case. I also had to edit the same file manually.
I couldn’t try after that (because I generated too many certificated for this week).
I think that is a small bug to correct.


#3

Can you provide the commands you used, and your setup ?

The system generally will work for domain and subdomains, so I’m guessing there is something about the route you have produced them by.


#4

I guess the devs are aware of this.

Rundown of a quick inspection on Github: after asking “Do you want to replace this existing certificate with the new certificate” line 213 in cli.py, the function returns to its caller line 315 and enters the if block in which we can find the following, line 332:
# TODO: Also update lineage renewal config with any relevant
# configuration values from this attempt? <- Absolutely (jdkasten)

And indeed, the other functions in there only renew the certificate but never interact with the renewal config file.

I have no idea if this is an easy feature to implement, though configObj does include a merge function that maybe could be used for things like this :smile:

EDIT: Changed Github link from master to latest cli.ini commit as of time of writing, for future-proofing.


#5

Yes, I did this

service nginx stop;
./letsencrypt-auto  certonly --agree-tos --standalone --email metal3d@gmail.com \
-d metal3d.org \
-d www.metal3d.org
service nginx start;

That worked (after having changed my nginx configuration). Then after one day I did:

service nginx stop;
./letsencrypt-auto  certonly --standalone --email metal3d@gmail.com \
-d metal3d.org \
-d www.metal3d.org \
-d examples.metal3d.org
service nginx start;

That added “examples” subdomain.

The configuration is (/etc/letsencrypt/renewal/metal3d.org.conf) after having added myself subdomain:

cert = /etc/letsencrypt/live/metal3d.org/cert.pem
privkey = /etc/letsencrypt/live/metal3d.org/privkey.pem
chain = /etc/letsencrypt/live/metal3d.org/chain.pem
fullchain = /etc/letsencrypt/live/metal3d.org/fullchain.pem

# Options and defaults used in the renewal process
[renewalparams]
apache_enmod = a2enmod
no_verify_ssl = False
ifaces = None
apache_dismod = a2dismod
register_unsafely_without_email = False
uir = None
installer = none
config_dir = /etc/letsencrypt
text_mode = False
func = <function obtain_cert at 0x7ff71b8d78c0>
prepare = False
work_dir = /var/lib/letsencrypt
tos = False
init = False
http01_port = 80
duplicate = False
key_path = None
nginx = False
fullchain_path = /root/letsencrypt/chain.pem
email = metal3d@gmail.com
csr = None
agree_dev_preview = None
redirect = None
verbose_count = -3
config_file = None
renew_by_default = False
hsts = False
authenticator = standalone
domains = metal3d.org, www.metal3d.org, examples.metal3d.org
rsa_key_size = 2048
checkpoints = 1
manual_test_mode = False
apache = False
cert_path = /root/letsencrypt/cert.pem
webroot_path = None
strict_permissions = False
apache_server_root = /etc/apache2
account = 35f1d18c7c88ff4ad54145518688dd87
manual_public_ip_logging_ok = False
chain_path = /root/letsencrypt/chain.pem
standalone = True
manual = False
server = https://acme-v01.api.letsencrypt.org/directory
standalone_supported_challenges = "http-01,tls-sni-01"
webroot = False
apache_init_script = None
user_agent = None
apache_ctl = apache2ctl
apache_le_vhost_ext = -le-ssl.conf
debug = False
tls_sni_01_port = 443
logs_dir = /var/log/letsencrypt
configurator = None
[[webroot_map]]

BTW, you can see some python to string problem in the configuraiton file


#6

I may be mistaken but I believe the devs are making progress on this particular issue, see #1546.


#7

Hi, I just ran into exactly this problem. I have even changed the configuration file but the reissued certificate doens’t contain the extra subdomain. This is somehow a critical issue to me. How have you guys solved the problem?


#8

That seems tout be fixed