Can I retroactively add a domain to an existing certificate?

Help
1

With prior help received from this forum I have working auto-renewing certificates for both my websites.

Here is the output of #certbot certificates

Found the following certs:
  Certificate Name: eclectichouston.com
    Domains: eclectichouston.com www.eclectichouston.com
    Expiry Date: 2024-06-25 06:07:07+00:00 (VALID: 33 days)
    Certificate Path: /etc/letsencrypt/live/eclectichouston.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/eclectichouston.com/privkey.pem
  Certificate Name: spaceflight.training
    Domains: spaceflight.training
    Expiry Date: 2024-07-29 12:54:01+00:00 (VALID: 67 days)
    Certificate Path: /etc/letsencrypt/live/spaceflight.training/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/spaceflight.training/privkey.pem

I noticed that for the spaceflight.training domain (the first one I set up) I forgot to add www.spaceflight.training to the certificate when I set it up. Can I go back and add that, and if so, how?

My #1 concern is not messing up the system that is working, but if possible I would like to make this change.

1 Like
2

The short answer is: no. An actual certificate is represented by the SANs on it. You can, however, just acquire another certificate with all the SANs you want (within certain limits of little concern to most). :slightly_smiling_face:

6 Likes
3

Thanks! That makes sense. Much appreciated.

4 Likes
4

For certbot certificates (as certbot data), you can "expand" them in terms of certbot certificate management to add additional (sub)domain names, but the actual, resulting certificate will be a new one.

https://eff-certbot.readthedocs.io/en/latest/using.html#re-creating-and-updating-existing-certificates

4 Likes
5

Yeah, asking about updating a certificate doesn't make sense (at least literally, though people may generally know what you mean), but you can update certbot to request a new certificate with the names you want, save it in the same place, and to also use those new names when renewing. Just request a new certificate with all the names, but also pass --cert-name spaceflight.training as part of the command so that it updates those existing files.

6 Likes
6

As a reminder, the "all the names" is important here! Please request all the names and not just the new ones. Certbot's behavior here is meant to give you the maximum possible control over the contents of your new cert, but it also confuses plenty of people who may suppose that --expand will automatically supply the old names (among other misconceptions).

6 Likes
7

Thanks to all. I'm gonna snapshot my droplet (so I can back out if I have to) and give it a whirl.

3 Likes
8

The document referenced above says

"The same format can be used to expand the set of domains a certificate contains, or to replace that set entirely:"

So can I just do this?

certbot certonly --cert-name spaceflight.training -d spaceflight.training,www.spaceflight.training

1 Like
9

Success! Thanks again to all.


Found the following certs:
  Certificate Name: eclectichouston.com
    Domains: eclectichouston.com www.eclectichouston.com
    Expiry Date: 2024-06-25 06:07:07+00:00 (VALID: 32 days)
    Certificate Path: /etc/letsencrypt/live/eclectichouston.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/eclectichouston.com/privkey.pem
  Certificate Name: spaceflight.training
    Domains: spaceflight.training www.spaceflight.training
    Expiry Date: 2024-08-21 22:59:59+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/spaceflight.training/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/spaceflight.training/privkey.pem
4 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.