Correct way to Add new domains for Lets Encrypt on Debian 9

gosulove · July 11, 2019, 1:15am

I have a server on Linode with 1-click install (Debian 9) .

After that I install Lets Encrypt by following Certbot official procedures.

https://certbot.eff.org/lets-encrypt/debianstretch-apache

Everything works ok without any error. However, when i add another domain to the same server, it get warning by saying this new site is "Not Secure"

By checking the following files

/etc/letsencrypt/live

I only manage to see my1stdomain.com So i think this is the main reason for the my2nddomain.com to receive a warning "Not Secure"

I can’t find the official docs for add new domains on certbot.eff.org

What i found the most likely to be the correct way to add new domains are this command line

sudo -H ./letsencrypt-auto certonly --standalone -d my2nddomain.com -d www.my2nddomain.com

However, i don’t dare to test it yet because I am afraid it may get error and cause the whole server not working. By then, my 1stdomain will also be effected.

Anyone can advice ?

_az · July 11, 2019, 1:20am

If you’d like to update your existing certificate to be valid for both domains, then you can do it like:

sudo -H ./letsencrypt-auto certonly --standalone \
--cert-name my1stdomain.com -d my1stdomain.com -d my2stdomain.com

Assuming that your existing certificate in /etc/letsencrypt/live is called my1stdomain.com.

The key is using --cert-name so that you update the existing certificate rather than creating a new one with a separate name.

gosulove · July 11, 2019, 1:29am

thanks for your instant reply. Just like what you have mentioned, I want to

" update myexisting certificate to be valid for both domains"

So i will follow your coding

sudo -H ./letsencrypt-auto certonly --standalone \
--cert-name my1stdomain.com -d my1stdomain.com -d my2stdomain.com

On top of that, do I need to add something like www.my1stdomain.com & www.my2nddomain.com ?

_az · July 11, 2019, 1:33am

If you need those www subdomains as well, you can add additional -d parameters, following the example of the first two domains:

-d my1stdomain.com -d my2stdomain.com -d www.my1stdomain.com -d www.my2stdomain.com

You can include 100 domains/subdomains per certificate, in this manner.

gosulove · July 11, 2019, 1:37am

ok ! thanks for the info. So far I don’t have subdomain yet. All the traffic will be direct to my1stdomain.com/… and my2nddomain.com/…

--cert-name my1stdomain.com -d my1stdomain.com -d my2stdomain.com

I am totally new to this. Just to double confirm –cert-name , <- is the “name” in this command need to be some word that I set when creating the certificate ?

_az · July 11, 2019, 1:39am

The name matches the name of your existing certificate in the live directory.

So if you have /etc/letsencrypt/live/my1stdomain.com already, you would use --cert-name my1stdomain.com.

gosulove · July 11, 2019, 1:40am

great! let me try now, i will update here very soon.

gosulove · July 11, 2019, 1:44am

hello! When i excute the command you have given in Putty. I got this error… Can you help?

sudo: ./letsencrypt-auto: command not found

_az · July 11, 2019, 1:49am

Uh, well it depends how you installed Certbot. I just copied your example from your first post.

If you followed the instructions from the certbot.eff.org page that you linked originally, then you would instead run:

sudo certbot

etc

gosulove · July 11, 2019, 1:52am

Ok… So that means the correct command line should be this?

sudo certbot certonly --standalone \ --cert-name my1stdomain.com -d my1stdomain.com -d my2stdomain.com

_az · July 11, 2019, 1:54am

Yes (though you can get rid of the \ - it’s only needed for a line break).

Make sure you stop any running webservers first, since they will conflict with --standalone.

gosulove · July 11, 2019, 2:04am

" Make sure you stop any running webservers first, since they will conflict with --standalone ."

I get confused about this… can you explain more? I have no idea of “–standalone”

schoen · July 11, 2019, 2:32am

Your sample command contains --standalone. With this option, Certbot creates its own temporary web server on port 80 in order to prove your control over your domain names. That conflicts with any existing web server that normally listens on port 80.

gosulove · July 11, 2019, 2:43am

thx for your reply. I think i made a mistake because this line of coding i copy from elsewhere. Let me share with more details when creating this cert on a fresh install 1 month ago. Bascially, i follow Certbot official docs

sudo apt-get install certbot python-certbot-apache -t stretch-backports
sudo certbot --apache
sudo certbot certonly --apache
sudo certbot renew --dry-run

So to add new domain to the existing server with same cert. what should be the correct command line? Should i replace “standalone” with “apache” ?

sudo certbot certonly --apache --cert-name my1stdomain.com -d my1stdomain.com -d my2stdomain.com

schoen · July 11, 2019, 2:45am

That is fine, and you might not want to include certonly if you want Certbot to try to configure your Apache server with the new certificate.

gosulove · July 11, 2019, 2:53am

Ok. just to final confirm this line of command should be correct right?

schoen · July 11, 2019, 3:31am

Yes, supposing that /etc/letsencrypt/live only lists my1stdomain.com and that your existing certificate doesn’t cover any other names, including the www subdomains.

gosulove · July 11, 2019, 3:45am

yup , currently, the server only 1 domain which is my1stdomain.com and no other subdomains