Certonly --cert-name not recognised


#1

I am trying to change the hosts for an existing certificate from, say:

To just dev01.example.com so I can then have separate certificates for the other two.

So I looked at the documentation and it says, in the Changing a Certificate’s Domains section, that something like this should do it:

certbot certonly --cert-name example.com -d example.com

So I tried:

sudo certbot certonly --cert-name dev01.example.com -d dev01.example.com

And also with --force-renewal but all I get back is:

certbot: error: unrecognized arguments: --cert-name dev01.example.com

Can anyone help me with this? What happened to --cert-name?


#2

What version of Certbot are you using (certbot --version)? The --cert-name functionality is pretty recent.


#3

I’m on 0.9.3. Is it too old? Released October. Installed recently from EPEL for CentOS 7.3.


#4

Yes, the --cert-name option was added in 0.10.0.


#5

Thanks. So is there a recommended way to do this without that option being available? Or do I just delete everything for dev01.example.com from /etc/letsencrypt? I prefer to stick with the OS package manager for software so can’t update to a more recent version at present.


#6

How is the current certificate lineage (i.e., the “cert name”) of your current certificate? You can look in the /etc/letsencrypt/live/ directory. Because if the name is the same as the domain you only want the cert for, you might try to use the --expand option. That option is used for adding domains and keeping the certificate name the same, but it might also be usefull for keeping the same name when removing domains from a certificate.

If the current “name” of the certificate is different than the hostname you want the certificate be for, I don’t know any direct option for that.

That said, the certificate name isn’t stored anywhere. It’s just the name of the directory in /etc/letsencrypt/archive/ and /etc/letsencrypt/live/ ánd the name of the renewal configuration file in /etc/letsencrypt/renewal/ in the form of cert-name.conf (e.g., /etc/letsencrypt/renewal/example.com.conf).

Therefore, if you know what you’re doing, you can for example, if your current certificate name is example.com, containing numerous hostnames, but you only want dev01.example.com, but with the certificate name example.com::

cd /etc/letsencrypt/
mv archive/example.com archive/example.com-backup
mv live/example.com live/example.com-backup
mv renewal/example.com.conf renewal/example.com-backup.conf
sed -i 's/archive\/example.com/archive\/example.com-backup/g; s/live\/example.com/live\/example.com-backup/g' /etc/letsencrypt/renewal/example.com-backup.conf
certbot -d dev01.example.com
mv archive/dev01.example.com archive/example.com
mv live/dev01.example.com live/example.com
mv renewal/dev01.example.com.conf renewal/example.com.conf
sed -i 's/archive\/dev01\.example\.com/archive\/example\.com/g; s/live\/dev01\.example\.com/live\/example\.com-backup/g' /etc/letsencrypt/renewal/example.com-backup.conf

Should do the trick. But I’d advise you to only run the commands if you actually know what they do :wink:


#7

Thanks Osiris, this is really useful. This confirms by suspicions about the back end of Certbot, and will make my future management of certificates much easier. I do get the commands. The certificate is already named with what I want to reduce it to, so the --expand will work for me this time, but the rest has been very helpful in clarifying my understanding of what I’m working with for future stuff. Thanks for the help.


#8

I tried it with --expand and it just created a new certificate (with -0001 appended) rather than updating the existing one. The command I used was:

sudo certbot certonly --webroot -w /example/dev01.example.com -d dev01.example.com --expand

No problems fixing this up, but just wanted to clarify why the command didn’t do the job, if I’m missing something or it just doesn’t do it.


#9

It literally didn’t agree that you were trying to “expand” the cert. Unfortunately for people who are trying to make a cert smaller, the --expand feature will literally only grow an existing cert by adding new names to it (if possible and an appropriate matching cert is found), but never agrees to remove any names from existing certs. If the requested cert would be smaller (even in the sense of missing a single name), it makes a new lineage with the -0001 that you saw.


#10

And notably there is no corresponding --contract or --shrink, for various historical reasons. One reason that --cert-name was added is to provide a straightforward way of accomplishing these tasks.


#11

Thanks schoen, that’s good to know.


#12

Ahhww :anguished:

I just thought the --expand switch wasn’t so smart and just prevented from those nasty -0001 dirs to happen…

Sorry @nigel, I was wrong about that!


#13

No worries, it was worth a try! I had wondered about it too so good to know. Thanks.


#14

Nope, the default is to prompt the user with

You have an existing certificate that contains a portion of the domains you requested (ref: {0}){br}{br}It contains these names: {1}{br}{br}You requested these names for the new certificate: {2}.{br}{br}Do you want to expand and replace this existing certificate with the new certificate?

The --expand flag simply corresponds to saying “Yes” to this question. (There is also a --duplicate flag that forces the -0001 behavior.)

--force-renewal (previously known as --renew-by-default) means “get a new certificate, and replace an existing certificate if there’s any existing certificate whose names are a subset of these names (including being the same as them)”. If you omit a name in an existing certificate, --force-renewal will still make a totally new lineage (named -0001 if the first-specified name is the same as the name of an existing lineage).

For example, suppose you have a lineage called example.com that covers example.com, foo.example.com, bar.example.com.

Cases involving specifying the same 3 names:

  • -d example.com -d foo.example.com -d bar.example.com should ask you if you want to renew or not
  • --force-renewal -d example.com -d foo.example.com -d bar.example.com should renew
  • --duplicate -d example.com -d foo.example.com -d bar.example.com should make example.com-0001

Cases involving specifying the same 3 names plus additional names:

  • -d example.com -d foo.example.com -d bar.example.com -d baz.example.com should ask you if you want to expand or not
  • --expand -d example.com -d foo.example.com -d bar.example.com -d baz.example.com should expand
  • --duplicate -d example.com -d foo.example.com -d bar.example.com -d baz.example.com should make example.com-0001

Cases involving specifying only some of the existing names, with or without additional names:

  • -d example.com -d foo.example.com should make example.com-0001 (because you didn’t mention bar.example.com; none of --expand, --duplicate, or --force-renewal should change this behavior)
  • -d example.com -d foo.example.com -d baz.example.com should make example.com-0001 (because you didn’t mention bar.example.com; none of --expand, --duplicate, or --force-renewal should change this behavior)

So, if you want to specify a lineage to act on without mentioning every domain currently covered by it, or if you want to choose a specific lineage to act on when there are two lineages that cover the same names, or if you want to remove any domains from an existing lineage, you need --cert-name. --cert-name allows you to arbitrary reset the domain coverage of any existing lineage.


Adding subdomain to certificate
#15

Great explanation, thanks. Good to have all that clear.


#16

Is it me or does the bold+italic part of that sentence leave room for interpreting --force-renewal as not adding -0001 to the first FQDN if you only ask for a few (i.e.: subset) of the domains originally in the cert?

Besides that, great explanation of the options of certbot :relaxed: :thumbsup:


#17

The next sentence (“If you omit a name”) is meant to cover that case!


#18

Yay! EPEL got updated so I am on 0.11.1 now and can use --cert-name :smiley:


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.