I have a single certificate with 11 domains. It shows up correctly when I run certbot certificates:
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: NAME
Domains: archives.example.com jonathon.example.com software.example.com www.example.com
Expiry Date: 2018-08-15 01:59:12+00:00 (VALID: 31 days)
Certificate Path: /etc/letsencrypt/live/NAME/fullchain.pem
Private Key Path: /etc/letsencrypt/live/NAME/privkey.pem
-------------------------------------------------------------------------------
In /etc/letsencrypt/renewal/NAME.conf, I see:
# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/NAME
cert = /etc/letsencrypt/live/NAME/cert.pem
privkey = /etc/letsencrypt/live/NAME/privkey.pem
chain = /etc/letsencrypt/live/NAME/chain.pem
fullchain = /etc/letsencrypt/live/NAME/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = eff64665900fff0c9fff7b1a8d4eb2ed
renew_hook = systemctl reload nginx
[[webroot_map]]
www.example.com = /var/www/www.example.com
jonathon.example.com = /var/www/jonathon.example.com
software.example.com = /var/www/software.example.com
archives.example.com = /var/www/archives.example.com
...
I want to now add another domain to the certificate. When I run certbot certonly --dry-run --cert-name NAME, I am asked how I’d like to authenticate, and select webroot. After this, it prompts me to enter the webroot for all of my domains again.
Is this correct? What is the point of [[webroot_map]] if certbot doesn’t use it? Am I doing something wrong?
If I pass --cert-name as something other than NAME in this case, it forgets I have any domain names configured at all, and asks Please enter in your domain name(s).
It seems like --cert-name is correct, and --expand is unnecessary:
Consider using --cert-name instead of --expand, as it gives more control over which certificate is modified and it lets you remove domains as well as adding them.
Thanks for confirming that unfortunate behavior, though. I'll open a feature request on GitHub and might put together a PR.
It's used by certbot renew to allow you to have different webroots for various names that a certificate covers when you renew the certificate without modifying it. This is a useful feature; without webroot_map, you could only have a single webroot per certificate and renewals where this wasn't the case would break.
However, I totally agree with your observation about how it ought to work in the circumstances that you describe, and I appreciate your submitting an issue to request this feature!