Certbot only issuing certificates for one domain given


#1

Please fill out the fields below so we can help you better.

My domain is:
michaelv.co (plus a bunch of other subdomains)

I ran this command:
certbot certonly -d michaelv.co -d ***1.michaelv.co -d ***2.michaelv.co -d ***3.michaelv.co -d ***4.michaelv.co -d ***5.michaelv.co -d ***6.michaelv.co

It produced this output:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/***1.michaelv.co/fullchain.pem. Your cert
   will expire on 2017-03-12. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My operating system is (include version):

Debian 8

My web server is (include version):
nginx/1.6.2

My hosting provider, if applicable, is:
n/a dedicated

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

I run this command with all of the subdomains plus my main domain, but certbot only issues a cert for one of my domains, and the output only shows one domain as well. Weird part, here’s the output while it’s performing challenges:

   β”‚ tls-sni-01 challenge for michaelv.co                                 β”‚
   β”‚ tls-sni-01 challenge for ***1.michaelv.co                        β”‚
   β”‚ tls-sni-01 challenge for ***2.michaelv.co                           β”‚
   β”‚ tls-sni-01 challenge for ***3.michaelv.co                           β”‚
   β”‚ tls-sni-01 challenge for ***4.michaelv.co                            β”‚
   β”‚ tls-sni-01 challenge for ***5.michaelv.co                              β”‚
   β”‚ tls-sni-01 challenge for ***6.michaelv.co

Am I just missing something huge or is this an actual bug? Running as a standalone webserver, not as web root.


#2

You have asked it there to obtain a single certificate, which is valid for all the domains.

If you want separate certificates for each different subdomain, then you will have to run separate commands

certbot certonly -d michaelv.co
certbot certonly -d ***1.michaelv.co


#3

Very likely you have misunderstood what’s going on here.

X.509 certificates have a single subject, but the version of X.509 used for the Web PKI has a feature called Subject Alternate Names (SANs) which lets us have more than one DNS name (among other things) in a certificate.

The Common Name on the certificate will be reported as just one of the names you asked for, but since all the other names are listed inside the certificate as SANs it will be accepted as a certificate for all those names.

If you in fact need separate certificates, for some reason, you can do as @serverco described.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.