Avoid re-entering webroot when requesting new certificate?


#1

I have a single certificate with 11 domains. It shows up correctly when I run certbot certificates:

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: NAME
    Domains: archives.example.com jonathon.example.com software.example.com www.example.com
    Expiry Date: 2018-08-15 01:59:12+00:00 (VALID: 31 days)
    Certificate Path: /etc/letsencrypt/live/NAME/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/NAME/privkey.pem
-------------------------------------------------------------------------------

In /etc/letsencrypt/renewal/NAME.conf, I see:

# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/NAME
cert = /etc/letsencrypt/live/NAME/cert.pem
privkey = /etc/letsencrypt/live/NAME/privkey.pem
chain = /etc/letsencrypt/live/NAME/chain.pem
fullchain = /etc/letsencrypt/live/NAME/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = eff64665900fff0c9fff7b1a8d4eb2ed
renew_hook = systemctl reload nginx
[[webroot_map]]
www.example.com = /var/www/www.example.com
jonathon.example.com = /var/www/jonathon.example.com
software.example.com = /var/www/software.example.com
archives.example.com = /var/www/archives.example.com
...

I want to now add another domain to the certificate. When I run certbot certonly --dry-run --cert-name NAME, I am asked how I’d like to authenticate, and select webroot. After this, it prompts me to enter the webroot for all of my domains again.

Is this correct? What is the point of [[webroot_map]] if certbot doesn’t use it? Am I doing something wrong?


#2

Hmm. What does your renewal file actually look like?

Does this have the same behavior?

certbot renew --cert-name example.org --dry-run

#3

(See edits above.)

If I pass --cert-name as something other than NAME in this case, it forgets I have any domain names configured at all, and asks Please enter in your domain name(s).


#4

If your task is to change the names on that certificate, then you will need to re-enter the full list of domains. Take a look at --expand under https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates.

I can confirm that Certbot does indeed ask for each webroot again, even if configured, which is a bit unfortunate.


#5

It seems like --cert-name is correct, and --expand is unnecessary:

Consider using --cert-name instead of --expand, as it gives more control over which certificate is modified and it lets you remove domains as well as adding them.

Thanks for confirming that unfortunate behavior, though. I’ll open a feature request on GitHub and might put together a PR.

Thanks!


#6

It’s used by certbot renew to allow you to have different webroots for various names that a certificate covers when you renew the certificate without modifying it. This is a useful feature; without webroot_map, you could only have a single webroot per certificate and renewals where this wasn’t the case would break.

However, I totally agree with your observation about how it ought to work in the circumstances that you describe, and I appreciate your submitting an issue to request this feature!