Best practice for adding sub-domain certificates?


I have successfully setup a site with two subdomains, using the standalone option

./letsencrypt-auto certonly -a standalone -d -d -d

Everything is working great so far, and the combined certificate is in the live/ folder. What is the best approach now if I would like to add another subsite, i.e. Is it better to run the full command again, just adding the site?

./letsencrypt-auto certonly -a standalone -d -d -d -d

Or is it better to run letsencrypt with only the new domain?

./letsencrypt-auto certonly -a standalone -d

Does it make any difference at all? Is there a best practice?



The big thing I notice is that it will try to create the certs again or prompt you asking what to do about the existing certs. You could pass the --keep or --renew-by-default flags to keep existing non-expired certs or replace them, accordingly. So you could put them all in the same line with --keep and it won’t replace the certs. I think that is a better approach but there might be better reasons from others on why not.


I just ran one of the server plugin ones and it took care of adding a new subdomain to the existing cert for renewal. Really easy.


letsencrypt --apache


So how does it eventually become?

./letsencrypt-auto certonly -a standalone -d -d -d -d --keep --renew-by-default


./letsencrypt-auto certonly -a standalone -d --keep --renew-by-default



For the renewal I just ran the original command again:

./letsencrypt-auto certonly -a standalone -d -d

no further flags like --renew-by-default. Seemed to work just fine and the renewed certificates are working.


So what would happen if I decided I no longer needed one of the domains/subs and I took it out of the renewal cron, would it simply just remove it and carry on renewing the rest?