Certbot fails when trying to expand certificate for more than one subdomain

Using LetsEncrypt and certbot, I already have a certificate for the domain myapp.john.com.

I was trying to expand certificate to a subdomain (prod.myapp.john.com) by:

sudo certbot certonly --webroot -w /usr/share/nginx/html/ -d prod.myapp.john.com --expand

It was successful:

ubuntu@ip-177.77.77.77:~/sites$ sudo certbot certonly --webroot -w /usr/share/nginx/html/ -d  prod.myapp.john.com --expand
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/prod.myapp.john.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I can confirm that a new certificate is in place:

ubuntu@ip-177.77.77.77:~/sites$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: myapp.john.com
    Domains: myapp.john.com www.myapp.john.com
    Expiry Date: 2021-12-14 10:54:17+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/myapp.john.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/myapp.john.com/privkey.pem
  Certificate Name: prod.myapp.john.com
    Domains: prod.myapp.john.com
    Expiry Date: 2021-12-14 11:58:18+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/prod.myapp.john.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/prod.myapp.john.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

However, when I do the same for another subdomain (test.myapp.john.com):

sudo certbot certonly --webroot -w /usr/share/nginx/html/ -d test.myapp.john.com --expand

It throws error:

ubuntu@ip-177.77.77.77:~/sites$ sudo certbot certonly --webroot -w /usr/share/nginx/html/ -d  test.myapp.john.com --expand
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for test.myapp.john.com
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain test.myapp.john.com
http-01 challenge for test.myapp.john.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: test.myapp.john.com
   Type:   unauthorized
   Detail: Invalid response from
   https://test.myapp.john.com/.well-known/acme-challenge/PI-mREAt2RL6RzwLC0_ERjWcrIsyNBCfoOoo9SDPrPA
   [52.197.191.237]: "<!DOCTYPE html>\n<html lang=\"en\">\n  <head>\n
   <meta charset=\"utf-8\" />\n    <link rel=\"icon\"
   href=\"/favicon.ico\" />\n    <!-- <lin"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

It does not make sense to me since in my DNS hoster I have an A record set up for test.myapp.john.com exactly the same as for prod.myapp.john.com and points to the same ip address.

Why does it fail?

And moreover, this also fails:

sudo certbot certonly --webroot -w /usr/share/nginx/html/ -d www.prod.myapp.john.com --expand

Error message:

ubuntu@ip-177.77.77.77:~/sites$ sudo certbot certonly --webroot -w /usr/share/nginx/html/ -d  www.prod.myapp.john.com --expand
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.prod.myapp.john.com
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.prod.myapp.john.com
http-01 challenge for www.prod.myapp.john.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.prod.myapp.john.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.prod.myapp.john.com/.well-known/acme-challenge/aoocODOWb5VWIYuD37fBk8m8504YIdwLUiBslnttxwE
   [52.197.191.237]: "<!DOCTYPE html>\n<html lang=\"en\">\n  <head>\n
   <meta charset=\"utf-8\" />\n    <link rel=\"icon\"
   href=\"/favicon.ico\" />\n    <!-- <lin"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like

Hi @Kid_learning, welcome to the LE community forum :slight_smile:

One question and one observation:
Q. Why are you using --expand; Which cert are you trying to expand?
O. The webroot must match the Root used by the vhost for that domain.

And one last comment:
When you hide the real domain name you make our job that much harder.

2 Likes

And to elaborate on this: certbot is quite a hassle when it comes to modifying existing certificates. One might think including --expand with just the hostname you want to add to an existing certificate will work, but that's not the case. If you want to expand an existing certificate you need to include all the hostnames currently in the cert you want expanded plus the new hostname. And preferably use --cert-name to specify which cert to expand exacly, just to be sure.

3 Likes

Thank you very much.
After some doc reading, I think this a better way, say I want to add two addional subdomains prod.* and test.*:
sudo certbot certonly --cert-name myapp.john.com -d myapp.john.com,www.myapp.john.com,prod.myapp.john.com,test.myapp.john.com

and for
" O. The webroot must match the Root used by the vhost for that domain."
Could you please elaborate on it a bit more? where can I find the vhost for the domain?

Regarding hiding the real domain name, I just thought it would be a bad practice for a developer to disclose company information on the open forum. For example, I would not do that on stackoverflow. Sorry I just started to use this forum and I am not sure.

2 Likes

@Kid_learning You can find the certbot documentation here: User Guide — Certbot 1.19.0.dev0 documentation

Please try to learn what a certain command from a guide actually does and don't mindlessly do what the guide says.

3 Likes

Thank you for the link.
I already read that section on the document soon after posting the question. Sorry I should have done the reading before posting the question. I just did not realize using --expand at the end would cause this issue.

2 Likes

Adding --expand with just a single hostname (with the -d option) doesn't do anything, so it wouldn't cause an issue too.

2 Likes

I would start by reviewing the entire nginx configuration, with the output of:
sudo nginx -T

2 Likes