Certbot scripting when adding new subdomains/wildcards via DNS

The version of my client is 2.8.0

On a debian 12 server I would like to be able to add extra subdomain names and possibly wildcard subdomain names for some domain names. I.e. at times the existing cert needs te be expanded with each renewal.

I've read different options for that, with either certonly or renew or a post deploy addition. Currently I have a script that has:

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --key-type ecdsa --dns-cloudflare --[its creds location] \
-d a.domain.tld,b.domain.tld,c.domain.tld

systemctl reload postfix etc.
exit 0

but I'm not sure what to do if I want to just expand adding new subdomains, like
to the existing cert, and have the path under /etc/letsencrypt/archive remain as it is, and not see letsencrypt create new paths/certs so the symlinks under /live/ won't add up in numbers etc.
I've seen this happen (new paths to the cert with 0001 in the dirname etc), and presumably that was because I ran it without "renew" ?

How do I best add new domain names to the existing script?
Is it best to add a file with just all the domains in one location, like post deploy, and then use
certbot renew all
or do I just add them to the existing script? And do I need to add "certonly" or not?

I think you're looking for the --cert-name option, which lets you specify which certificate you're replacing, rather than certbot guessing. I've seen it argued that it should basically always be specified, and that it's a real shame that most tutorials don't seem to mention it.

To make changes to a certificate that includes adding new domain names, just run the command you're trying to run, including hooks and the list of domain names (and including --cert-name to specify which certificate you're updating), and certbot will get the updated certificate and store the information to use for renewals.

Well, that depends on whether what you're looking for is certbot to only get the certificates, or whether you want certbot to also try to install them for you.


Thanks, that was what I was looking for indeed!~
I've just read up in the docs, but do I understand correctly that when I use --cert-name I will have to put the dir-name domain that's already created under /etc/letsencrypt/archive as the first name after --cert-name or will certbot just assume the existing cert is the one I'm expanding no matter where it is in the scripted command?

1 Like

Use the certbot certificates command to see all your certificate names.

But, yes, usually those line up with the certs in ../live/ which are symbolic links to ../archive/

Best to not use lots of options on the renew command. Repeat the original command you used to get the cert with your new options. If that is successful the renewal profile gets updated in the /renewal/ folder.

The renew command renews all the certs on your system using their /renewal/ profiles


But if I use just the renew option, like so:

certbot renew certonly --cert-name a.domain.tld \
-d a.domain.tld,b.domain.tld,c.domain.tld,newlyadded.domain.tld

will that actually auto expand without interaction?
I can try, of course, using staging, but I think this should do the job, right?

No. What was the command you issued originally to get that cert?

Was it something like?

certbot certonly --webroot -w (some path) -d (some domains)

If you don't remember please show the file in the /etc/letsencrypt/renewal folder for the cert profile in question


I've edited the first post with what I initially used. So that should work, since all info except certonly and cert-name is in the renewal conf.

Is your script purely meant for renewing? Because usually it works like:

  • One uses the run (the default, not mandatory) or certonly subcommand to get a certificate, possibly including a --deploy-hook option;
  • One runs certbot renew without ANY other options periodically to renew all existing certificates, usually by means of an automatically installed systemd timer or cronjob or sometimes with a manually set cronjob. Note that the --deploy-hook used in the initial certificate issuance is remembered and used after every renewal;
  • When one wants to change a certificates contents, one runs the run or certonly command again, but with different options, possibly using the --cert-name option to make sure no duplicate certificates come into existence.

Usually one does NOT use any custom scripts for renewal, especially not using the run or certonly subcommands.


So how does one best add new subdomains to or remove domains from the cert then, while or during renewal?
Sorry if I've made it seem confusing, but upon reading and searching, I see a lot of contradictory advice regarding expansion of one cert while renewing.

Either way, config is OK, I only require certonly, dns api with cloudflare, wildcard option and sometimes expansion or cutting down of one cert.

The "while or during renewal" in your question is what's confusing us.

Update the certificate when you need to add/remove a domain or otherwise change the cert, using certbot run or certbort certonly or whatever.

Renewals should be handled with the automatic scheduled job that just runs certbot renew in the background and you shouldn't be worrying about at all.


OK, so the adding or removing stuff from an existing cert I should perform using the script then, I get it.
I will then not use the 'renew' option in that script, but enforce it to use the existing cert-name. I had up to now not been aware of the cert-name functionality, so thanks for that, all of you. It's been a real help!

1 Like

Why use a script in the first place? What's its exact purpose compared to just running the Certbot command on the command line manually? I don't see any fancy things with input variables from some other automated thing for example.


LOL are you serious? First, you only see the relevant part of the script. Second, I would have to type out lists of domain names at the command line each time, not forgetting one, plus remember all the exact commands for certbot. Which as it stands is not something I would have to do every day, so one tends to forget the parameters and options etc. I mean, you can't possibly be remotely serious with that response.

I'm dead serious.

I don't have a crystal globe, so we have to work with the sparse information provided.

That's why I asked for clarification. Garbage in = garbage out.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.