I issued a new certificate for a subdomain, and now I get the certificate name mismatch when I visit the site in the browser. Here are roughly the steps I did. A month ago I have issued a certificate for two domains:
As noted here all these domains should be in the same certificate file, and in my case they are not. I know that I can use --expand on original certificate and add site3.example.com, but what should I do with the certificate under /etc/letsencrypt/live/site3.example.com? Should I just rm -rf or do I need to revoke it, and then --expand the original certificate?
Does it matter that I have two different webroots for these sites? i.e. site1 and site2 are under /var/www/example.com and site3 is under /var/www/site3.example.com?
Before the -d option for site3, you should specify another webroot with a second-w option.
The -w counts for every domain after the option until there’s another -w. From the second -w, that webroot counts for the next -d options. And so on and so on. You can specify 100 hostnames with 100 different webroots or any combination
Also, because you’re specifying an authenticator as wel as an installer plugin, the certonly option actually doesn’t make any sense: the idea behind certonly is that it only gets you the certificate without actually installing it, but with --installer apache you’re saying: “please install the certificate for me”. I’m actually surprised certbot actually accepts this combination