Command for wildcard subdomain when have two existing certificates

I have a VPS with two domains, the first of which will have multiple sub-domains.

Initially I used sudo certbot --apache -d -d

Then later I used sudo certbot --apache -d -d

Both worked fine and the key files are stored in different subdirectories of /etc/letsencrypt/live/

What command should I use to get certificates for, etc?

Should I use the following single command, including every existing domain from both the above commands plus the new wildcard subdomain?

sudo certbot --apache --expand -d -d -d -d -d *

The reason I'm not sure is because I think I have ended up with two separate certificates, and wonder whether the --expand parameter above would only work if I'd created a single one.

Thank you.

1 Like

Hi @Jonathan9, and welcome to the LE community forum :slight_smile:

I don't think you can request a wildcard cert that also includes domains that would be covered by the wildcard cert.

This is not necessarily a bad thing.

Could you put all the names on one cert? Probably.
Should you? Maybe and maybe not.
[there is no wrong answer]


Essentially, the --expand option will confirm Certbot's choice of a random one of the two to replace with the expanded certificate, if there are two possible certificates for which the new certificate would be a possible expansion.

If you want to pick a particular one, you can use the --cert-name option to specify which certificate name the new certificate ought to be saved under. Otherwise the choice that Certbot makes is essentially arbitrary from the user's point of view (I think it might likely be the one with the alphabetically first cert name).


Also note that the --apache authenticator plugin only handles the http-01 challenge and you'd need the dns-01 challenge for a wildcard certificate.


I know --apache works so want to use it again, which means there are two reasons not to use that wildcard. I'll get certificates for the two existing subdomains for now.

Does the following look right?

sudo certbot --apache --cert-name -d,,,,,

Thanks again.

1 Like

That command should result with a single certificate for all those hostname, overwriting your previous certificate, assuming it's name is actually and not You can check the cert names by running certbot certificates.

Also note that the apache installer should be smart enough to update the current reference to your now-current but then old certificate to the then newly issued cert, but it doesn'r hurt to verify that!

Also note that if everything is set up correctly in Apache, you're satisfied with your single cert containing all the hostnames, you should delete the now-unnecessary cert. Otherwise it keeps renewing unnecessarily indefinitely while not in use. Which would be a shame of Let's Encrypt resources.


Thanks for that. I'll give it a go :slight_smile:

I've a related "what next" question but thought it was sufficiently different for a new topic: Procedure on moving subdomain to new server

1 Like

I got the error:

An unexpected error occurred:
ValueError: Unable to set value to path!

I'm in a rush to leave the house now, but will add more details later... I wonder whether this is an obvious error to explain, though, even without full details.

Edit: I logged in as root, typed the same command (minus sudo) and it worked fine. Here is the final result:

root@...:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name:
    Expiry Date: 2021-08-15 12:54:57+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/
  Certificate Name:
    Expiry Date: 2021-08-13 07:48:03+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I deleted the certificate by typing certbot delete and selecting "2" which related to that certificate.

It's all working fine. Thanks everybody.

Did you double check if your webserver configuration is only pointing to the files in /etc/letsencrypt/live/ Otherwise your webserver won't (re)start as it'll be missing critical files if it's still using the files from the /live/ directory.

/etc/apache2/sites-available/ contains:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

Is this was you mean?

Yes, indeed. Looks fine!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.