Certbot and Wildcard Certificates

Hey people,

i have the following problem. I created some wildcard certificate with certbot.
The tld and the subdomain cloud.tld work good, but it.tld doesnt. Both subdomains have a valid a-record entry. i do not understand why it.tld is "not safe" the browser says.

would be thankful for some hint..


My domain is:


I ran this command:
certbot certonly --manual --preferred-challenge dns -d "dennisbuehler.de" -d "*.dennisbuehler.de"

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2023-03-08T17:32:54

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Your website is not using the wildcard certificate entirely. It's serving a certificate for the hostnames cloud.dennisbuehler.de, dennisbuehler.de and www.dennisbuehler.de.

Did you install the certificate into Apache after you got it?

Also note that the ACME client lego supports Netcup as a DNS provider to automate the adding and removing of the TXT record so you can automate issuance of the wildcard certificate. And the Certbot plugin certbot-dns-multi (developed by one of the Certbot developers, but technically a third party plugin for Certbot) uses lego under the hood, so you could use that plugin to automate issuance using Certbot!

And another question: do you actually require a wildcard certificate? Or is it also possible to simply extend the current certificate with the three hostnames mentioned above to include the it subdomain?

Please also note that you've often generated more certificates than required: crt.sh | dennisbuehler.de

Looks like you're often issuing the wildcard certificate multiple times within a few days. I'm not sure why you would do that? In general it seems certificates for your domain are issued multiple times in a row since you started using Let's Encrypt back in 2021.. Please only issue a certificate once and renew it after 60 days, not earlier.


You should upgrade that version using the recommended installation instructions, at:
Certbot Instructions | Certbot (eff.org)


certbot --expand -d it.dennisbuehler.de

did it..

You sure? On crt.sh | dennisbuehler.de I can only see one new certificate compared to this morning and it only has it.dennisbuehler.de as hostname. So it seems nothing really got expanded.


root@celeste:/home/dtm# certbot --expand -d it.dennisbuehler.de
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for it.dennisbuehler.de
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/wordpress-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/wordpress-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/wordpress-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/wordpress.conf to ssl vhost in /etc/apache2/sites-available/wordpress-le-ssl.conf

Congratulations! You have successfully enabled https://it.dennisbuehler.de

You should test your configuration at:


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2023-10-06. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Yeah, Certbot is stupid in that way. It didn't recognise your other already present certificates, because Certbot requires you put all hostnames using -d on the command line, even if you just want to add a single hostname to an already existing certificate.

E.g., if you already have a certificate for foo.example.com and bar.example.com using certbot -d foo.example.com -d bar.example.com and you'd want to add baz.example.com to that existing certificate, you'd want to run certbot --expand -d foo.example.com -d bar.example.com -d baz.example.com unfortunately.


What shows?
certbot certificates


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.