Command for wildcard subdomain when have two existing certificates

I have a VPS with two domains, the first of which will have multiple sub-domains.

Initially I used sudo certbot --apache -d domain1.com -d www.domain1.com

Then later I used sudo certbot --apache -d domain2.com -d www.domain2.com

Both worked fine and the key files are stored in different subdirectories of /etc/letsencrypt/live/

What command should I use to get certificates for a.domain1.com, b.domain1.com etc?

Should I use the following single command, including every existing domain from both the above commands plus the new wildcard subdomain?

sudo certbot --apache --expand -d domain1.com -d www.domain1.com -d domain2.com -d www.domain2.com -d *.domain1.com

The reason I'm not sure is because I think I have ended up with two separate certificates, and wonder whether the --expand parameter above would only work if I'd created a single one.

Thank you.

1 Like

Hi @Jonathan9, and welcome to the LE community forum :slight_smile:

I don't think you can request a wildcard cert that also includes domains that would be covered by the wildcard cert.
*.domain1.com
covers:
www.domain1.com

This is not necessarily a bad thing.

Could you put all the names on one cert? Probably.
Should you? Maybe and maybe not.
[there is no wrong answer]

4 Likes

Essentially, the --expand option will confirm Certbot's choice of a random one of the two to replace with the expanded certificate, if there are two possible certificates for which the new certificate would be a possible expansion.

If you want to pick a particular one, you can use the --cert-name option to specify which certificate name the new certificate ought to be saved under. Otherwise the choice that Certbot makes is essentially arbitrary from the user's point of view (I think it might likely be the one with the alphabetically first cert name).

3 Likes

Also note that the --apache authenticator plugin only handles the http-01 challenge and you'd need the dns-01 challenge for a wildcard certificate.

3 Likes

I know --apache works so want to use it again, which means there are two reasons not to use that wildcard. I'll get certificates for the two existing subdomains for now.

Does the following look right?

sudo certbot --apache --cert-name domain1.com -d domain1.com,www.domain1.com,domain2.com, www.domain2.com,a.domain1.com,b.domain1.com

Thanks again.

1 Like

That command should result with a single certificate for all those hostname, overwriting your previous domain1.com certificate, assuming it's name is actually domain1.com and not www.domain1.com. You can check the cert names by running certbot certificates.

Also note that the apache installer should be smart enough to update the current reference to your now-current but then old domain2.com certificate to the then newly issued domain1.com cert, but it doesn'r hurt to verify that!

Also note that if everything is set up correctly in Apache, you're satisfied with your single cert containing all the hostnames, you should delete the now-unnecessary domain2.com cert. Otherwise it keeps renewing unnecessarily indefinitely while not in use. Which would be a shame of Let's Encrypt resources.

2 Likes

Thanks for that. I'll give it a go :slight_smile:

I've a related "what next" question but thought it was sufficiently different for a new topic: Procedure on moving subdomain to new server

1 Like

I got the error:

An unexpected error occurred:
ValueError: Unable to set value to path!

I'm in a rush to leave the house now, but will add more details later... I wonder whether this is an obvious error to explain, though, even without full details.

Edit: I logged in as root, typed the same command (minus sudo) and it worked fine. Here is the final result:

root@...:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: domain1.com
    Domains: domain1.com a.domain1.com b.domain1.com domain2.com www.domain1.com www.domain2.com
    Expiry Date: 2021-08-15 12:54:57+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/domain1.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/domain1.com/privkey.pem
  Certificate Name: domain2.com
    Domains: domain2.com www.domain2.com
    Expiry Date: 2021-08-13 07:48:03+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/domain2.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/domain2.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I deleted the domain2.com certificate by typing certbot delete and selecting "2" which related to that certificate.

It's all working fine. Thanks everybody.

Did you double check if your webserver configuration is only pointing to the files in /etc/letsencrypt/live/domain1.com/? Otherwise your webserver won't (re)start as it'll be missing critical files if it's still using the files from the /live/domain2.com/ directory.

/etc/apache2/sites-available/domain2.com-le-ssl.conf contains:

SSLCertificateFile /etc/letsencrypt/live/domain1.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain1.com/privkey.pem

Is this was you mean?

Yes, indeed. Looks fine!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.