Certificate name mismatch - should I revoke new certificate?

I issued a new certificate for a subdomain, and now I get the certificate name mismatch when I visit the site in the browser. Here are roughly the steps I did. A month ago I have issued a certificate for two domains:

sudo certbot certonly --authenticator webroot --installer apache -w /var/www/example.com -d site1.example.com -d site2.example.com

In the mean time I have deployed a new site under an URL site3.example.com, but I forgot that it is subdomain, and issued certificate as:

sudo certbot certonly --authenticator webroot --installer apache -w /var/www/site3.com -d site3.example.com

As noted here all these domains should be in the same certificate file, and in my case they are not. I know that I can use --expand on original certificate and add site3.example.com, but what should I do with the certificate under /etc/letsencrypt/live/site3.example.com? Should I just rm -rf or do I need to revoke it, and then --expand the original certificate?

Use certbot certificates to retrieve the internal name (cert-name) of the extraneous certificate. Then delete it with certbot delete --cert-name ...

1 Like

Does it matter that I have two different webroots for these sites? i.e. site1 and site2 are under /var/www/example.com and site3 is under /var/www/site3.example.com?

Can I use:

sudo certbot certonly --authenticator webroot --installer apache -w /var/www/example.com -d site1.example.com -d site2.example.com -d site3.example.com --expand

Even though site3 is in different directory?

Before the -d option for site3, you should specify another webroot with a second -w option.

The -w counts for every domain after the option until there’s another -w. From the second -w, that webroot counts for the next -d options. And so on and so on. You can specify 100 hostnames with 100 different webroots or any combination :wink:

Also, because you’re specifying an authenticator as wel as an installer plugin, the certonly option actually doesn’t make any sense: the idea behind certonly is that it only gets you the certificate without actually installing it, but with --installer apache you’re saying: “please install the certificate for me”. I’m actually surprised certbot actually accepts this combination :open_mouth:

1 Like

I’m not sure why it works. But as a matter of fact it does not do anything with the apache configuration files (which is exactly what I want).

I come up with this according to your explanation:

sudo certbot certonly --authenticator webroot --installer apache -w /var/www/example.com -d site1.example.com -d site2.example.com -w /var/www/site3.com -d site3.example.com --expand --dry-run

Dry run passes. :smile:

Well, you can remove --installer apache in that case. I guess it doesn't do anything now anyway as you say.

1 Like

…and the answer to “should I revoke” is pretty much always “no.”

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.