Can't expand certs to other subdomains

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Note:
I have cnames and have set VirtualHost for the two domains I am trying to expand with certbot. I am trying to expand the number of domains under letsencrypt from 7 to 9.

My domain is:
ingber.com

I ran this command:
/usr/bin/certbot --expand -d louise.ingber.com,creekhouse.ingber.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for creekhouse.ingber.com
http-01 challenge for louise.ingber.com
Waiting for verification...
Challenge failed for domain creekhouse.ingber.com
Challenge failed for domain louise.ingber.com
http-01 challenge for creekhouse.ingber.com
http-01 challenge for louise.ingber.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
apache2 (Server version: Apache/2.4.41 (Ubuntu))

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

2 Likes
2

Welcome Back to the Let's Encrypt Community, Lester :slightly_smiling_face:

I tested both of the new domain names with Let's Debug, which did not receive the responses that you did from Let's Encrypt, so something will need to be resolved there.

First though:

--expand tells Certbot to update an existing certificate with a new certificate that contains all of the old domains and one or more additional new domains. With the --expand option, use the -d option to specify all existing domains and one or more new domains.

Typically using --cert-name is preferable to using --expand. To do this right, we need to first know the output of:

sudo /usr/bin/certbot certificates

3 Likes
3

Both names failed.

Please show the output of:
apachectl -t -D DUMP_VHOSTS

4 Likes
4

Hi. The output is:

13:46:22 ingber@linode# ~: /usr/bin/certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: www.ingber.com
Domains: www.ingber.com blog.ingber.com default.ingber.com ingber.com lester.ingber.com lin.ingber.com lin6.ingber.com
Expiry Date: 2022-03-03 06:38:13+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/www.ingber.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.ingber.com/privkey.pem

2 Likes
5

The output is:

13:47:15 ingber@linode# ~: apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
173.255.212.226:80 is a NameVirtualHost
default server www.ingber.com (/etc/apache2/sites-enabled/000-default.conf:7)
port 80 namevhost www.ingber.com (/etc/apache2/sites-enabled/000-default.conf:7)
alias ingber.com
alias www.ingber.com
port 80 namevhost creekhouse.ingber.com (/etc/apache2/sites-enabled/000-default.conf:20)
port 80 namevhost louise.ingber.com (/etc/apache2/sites-enabled/000-default.conf:32)
port 80 namevhost blog.ingber.com (/etc/apache2/sites-enabled/000-default.conf:44)
port 80 namevhost lester.ingber.com (/etc/apache2/sites-enabled/000-default.conf:56)
port 80 namevhost lin.ingber.com (/etc/apache2/sites-enabled/000-default.conf:68)
port 80 namevhost lin6.ingber.com (/etc/apache2/sites-enabled/000-default.conf:80)
173.255.212.226:443 is a NameVirtualHost
default server www.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:12)
port 443 namevhost www.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:12)
alias ingber.com
alias www.ingber.com
port 443 namevhost louise.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:47)
port 443 namevhost creekhouse.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:81)
port 443 namevhost blog.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:115)
port 443 namevhost lester.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:149)
port 443 namevhost lin.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:183)
port 443 namevhost lin6.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:217)
[2600:3c01::f03c:91ff:fe93:e6f3]:80 is a NameVirtualHost
default server www.ingber.com (/etc/apache2/sites-enabled/000-default.conf:7)
port 80 namevhost www.ingber.com (/etc/apache2/sites-enabled/000-default.conf:7)
alias ingber.com
alias www.ingber.com
port 80 namevhost creekhouse.ingber.com (/etc/apache2/sites-enabled/000-default.conf:20)
port 80 namevhost louise.ingber.com (/etc/apache2/sites-enabled/000-default.conf:32)
port 80 namevhost blog.ingber.com (/etc/apache2/sites-enabled/000-default.conf:44)
port 80 namevhost lester.ingber.com (/etc/apache2/sites-enabled/000-default.conf:56)
port 80 namevhost lin.ingber.com (/etc/apache2/sites-enabled/000-default.conf:68)
port 80 namevhost lin6.ingber.com (/etc/apache2/sites-enabled/000-default.conf:80)
[2600:3c01::f03c:91ff:fe93:e6f3]:443 is a NameVirtualHost
default server www.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:12)
port 443 namevhost www.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:12)
alias ingber.com
alias www.ingber.com
port 443 namevhost louise.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:47)
port 443 namevhost creekhouse.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:81)
port 443 namevhost blog.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:115)
port 443 namevhost lester.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:149)
port 443 namevhost lin.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:183)
port 443 namevhost lin6.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:217)
*:80 default.ingber.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 default.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:2)

2 Likes
6

What are the outputs of:

sudo cat /etc/apache2/sites-enabled/000-default.conf
sudo cat /etc/apache2/sites-enabled/default-ssl.conf
sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled

Please put ``` above and below each output, like this:

```
output
```

3 Likes
7

The output is in
output

2 Likes
8

I think you can just use:
/usr/bin/certbot --apache

and walk through the choices to get a cert with all names on it.

3 Likes
9

Since I have provided a lot of information, I will wait until someone can make a definitive statement (I too can guess, but I'd rather not) about the proper way to fix this "expand" issue.

Thanks.

Lester

1 Like
10

In the meantime...
Can you upgrade that version of certbot?

3 Likes
11

I didn't realize that in 2020 certbot no longer auto-updated. I used the info on Webdock : Upgrading Let's Encrypt Certbot to the latest version on Ubuntu to update to version 1.22.0 .

Thanks.

Lester

3 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.