I don’t really like the numbers being attached. not sure why it’s happening. I really think I should have 1 certificate but I think it shows 4 or 5
I automatically create certificates for subdomains when the user clicks a create subdomain button. I use node js exec to make the commands and the server is linux
the command looks like this certbot -d example.com -d cool.example.com -d test.example.com -d parse.example.com -d www.example.com -d success.example.com -d xyz.example.com --expand --redirect
I basically get those domains when I automatically update the server_name in the nginx /sites-available/default file. I get it from that server_name line then add the -ds then execute the command every time the user clicks the button.
My concern if I keep doing this I will have tons of “certificate names” with the numbers appended (“0001”).
I don’t know if I should be concerned about it.
I’m using certbot version 0.31.0
Ubuntu 18.04.3 LTS
I login as root
Also I noticed that the redirects weren’t automatically added in the second server block in the default file I thought the --redirect option was supposed to handle the redirect but it doesn’t look like its doing it.
When you’re only adding names, and you use the --expand option (or choose it in the interactive prompt), Certbot will save the new certificate in place of the old one.
When removing domains – or adding and removing domains – Certbot will save it in a new directory.
What you’ve got is the expected – if not good – outcome from repeatedly adding and removing domains over time.
As @JuergenAuer said, you can use the --cert-name option to have Certbot replace an existing certificate regardless of whether you’re adding or removing domains.
Having all of these certificates is somewhat problematic – on the one hand, continuing to renew them wastes resources. On the other hand, if you’ve removed names that no longer work, Certbot will try and fail to renew them, which also wastes resources. On top of that, if your web server is configured to use a certificate that’s failing to renew, your websites will break when it expires!
It would be good to choose one certificate, configure all of your software to use it, and use certbot delete to delete the others.
Thanks for your answer. Real helpful.
I just want some clarification.
The command: certbot -d example.com -d cool.example.com -d test.example.com -d parse.example.com -d www.example.com -d success.example.com -d xyz.example.com --expand --redirect
Is the command that I used the proper way to add and remove sub-domains?
When I use the command above is that adding a new certificate? If it does I don’t think I need multiple certificates for many subdomains. Correct me if I’m wrong.
I just want to attach subdomains to example.com.
I’m going to be using that command a lot with the updated list of subdomains
I’m assuming that there is a name collision because every time I run the command example.com is the first name. Although sometimes I think it doesn’t create the new certificate name so it’s a little weird.
I think your saying that the name collision stuff won’t really affect my https sites so I don’t really have to do anything. But I was still courious about the info I mentioned above.
It’s ok if you don’t want to answer. If you don’t I will probably just continue running those commands with updated long lists of domains and home everything will be ok.
create certificate like certbot -d example.com -d cool.example.com for example.com add one subdomain to start off.
Then when the user clicks a button to add a subdomain for example, newone.example.com I could do this command
certbot -d example.com -d cool.example.com -d newone.example.com --cert-name example.com (question: do I keep "example.com as the first one if I’m using it as cert-name?")
When the user wants to remove newone.example.com I will do command : certbot -d example.com -d cool.example.com -d --cert-name example.com
Notice newone.example.com is missing.
Is this the better way to remove and add subdomains?
Is that the exact commands to use.
This way certbot won’t fail when renewing as you mentioned?
EDIT: Or maybe I should delete the old certificate and a new one very time the user clicks the button?
That plan sounds fine, except for two things (plus the typo mentioned at the bottom of this post).
One, don't delete all of your certificates. If you delete certificates that your web server is using, it will break, which will also interfere with getting new certificates to fix the problem!
Delete all but one of your certificates, sure. But don't delete all of them.
Two, have you read the page about Let's Encrypt's rate limits?
If you're adding new subdomains more than a few dozen times per week, that will be a problem, and you should consider using a wildcard certificate instead.
Yes! If you don't keep it, it would be removed from the new certificate. (It doesn't have to be first, though.)
There's an extra "-d" in that command, between "cool.example.com" and "--cert-name", but yes.
If it’s one that LE supports with a plugin, you can set up DNS validation & just get a wildcard certificate to issue to any subdomains that are created.