Correct steps to add another domain to existing certificate


#1

Hello,

I recently wanted to add another domain to an existing SSL certificate on a server and it broke a few things and overwrote my 000-default-le-ssl.conf file.

I would like to know the correct steps for simply adding another domain name to an existing Lets Encrypt SSL certificate.

My scenario is that I simply want to point another domain to the same directory/folder to have both domains reaching the same content, such as

Existing https://sales.domain.com points to /var/www/html and I wish to point another https://sales.newdomain.com (previously configured via DNS with an A record to the same IP address as my original sales.domain.com

I did this previously as explained and ran these commands without success:

certbot certonly -d sales.domain.com -d sales.newdomain.com
certbot --apache -d sales.newdomain.com

I did not save the responses, but it did not work.

I then ran this command, which did actually add the second domain, but I had many issues with 000-default-le-ssl.conf and other issues I do not recall…

certbot --authenticator standalone --installer apache -d sales.domain.com -d sales.newdomain.com --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2”

As this is on a production server, I’d like to know what the correct command would be to simply add another domain to an existing, working SSL cert that will point to the same directory. I’d rather have the correct command than “trying” things and making a mistake on a live server.

Thank you in advance.


#2

Hi @omega1,

The way to add a domain with Certbot is to reissue the certificate with a complete list of all of the names that should be covered in the new certificate. There’s no command that adds a domain without the need to respecify the old names.

The different commands that you’re using have very different strategies and effects that are totally unrelated to the effort to add a domain. I would suggest consulting the documentation to decide which approach you want to use (for example --standalone and --apache are doing quite different things). Then, you can issue a certificate that covers all of the names that you want using that approach.

In your post you described encountering errors from some Certbot commands but you said you don’t remember what the errors were. If you post the specific errors here, we can try to explain what they mean and what can be done about them. Again, this is probably not related to your effort to add a domain.


#3

@schoen Thank you for your prompt reply, much appreciated.

Based on your reply (to re-issue the cert with both domains), I would have thought then that this command would have given the correct result, which was to just add another domain to the existing cert (with sales.domain.com being the existing domain).

certbot certonly -d sales.domain.com -d sales.newdomain.com

Would that not have re-issued the certificate with the old domain and new one?

As mentioned, I have one domain that currently has an SSL cert that points to the folder /var/www/html and I want to add another one that points to the same folder, so essentially I have two different domains that point to the same folder on the same server.

sales.domain.com -> /var/www/html
sales.newdomain.com -> /var/www/html

Thank you.


#4

So, to report back the issues I have, when I run

certbot --expand -d sales.existingdomain.com -d sales.newdomain.com

I get this:

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for sales.existingdomain.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

And it fails.

If I run:

certbot certonly -d sales.existingdomain.com -d sales.newdomain.com

I get this and I do not know what to select as I do not want to enter a new webroot.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sales.existingdomain.com
http-01 challenge for sales.newdomain.com

Select the webroot for sales.existingdomain.com:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): c
Cleaning up challenges

#5

OK, I just needed this :slight_smile:

certbot --webroot -w /var/www/html certonly -d sales.existingdomain.com -d sales.newdomain.com

Resolved now, thanks


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.