Best practice for adding sub-domain certificates?


#1

I have successfully setup a site with two subdomains, using the standalone option

./letsencrypt-auto certonly -a standalone -d example.com -d www.example.com -d sub1.example.com

Everything is working great so far, and the combined certificate is in the live/example.com folder. What is the best approach now if I would like to add another subsite, i.e. sub2.example.com? Is it better to run the full command again, just adding the site?

./letsencrypt-auto certonly -a standalone -d example.com -d www.example.com -d sub1.example.com -d sub2.example.com

Or is it better to run letsencrypt with only the new domain?

./letsencrypt-auto certonly -a standalone -d sub2.example.com

Does it make any difference at all? Is there a best practice?

Thanks!!


#2

The big thing I notice is that it will try to create the certs again or prompt you asking what to do about the existing certs. You could pass the --keep or --renew-by-default flags to keep existing non-expired certs or replace them, accordingly. So you could put them all in the same line with --keep and it won’t replace the certs. I think that is a better approach but there might be better reasons from others on why not.


#3

I just ran one of the server plugin ones and it took care of adding a new subdomain to the existing cert for renewal. Really easy.

e.g.

letsencrypt --apache


#4

So how does it eventually become?

./letsencrypt-auto certonly -a standalone -d example.com -d www.example.com -d sub1.example.com -d sub2.example.com --keep --renew-by-default

OR

./letsencrypt-auto certonly -a standalone -d sub2.example.com --keep --renew-by-default

?


#5

For the renewal I just ran the original command again:

./letsencrypt-auto certonly -a standalone -d example.com -d www.example.com

no further flags like --renew-by-default. Seemed to work just fine and the renewed certificates are working.


#6

So what would happen if I decided I no longer needed one of the domains/subs and I took it out of the renewal cron, would it simply just remove it and carry on renewing the rest?