Créer un second certificat malgré un premier déjà créé

rsuinux · March 30, 2026, 10:02am

Bonjour.
Voici les informations de base :

Je peut lire des réponses en Anglais : oui

Mon nom de domaine est : suinot.org

Mon serveur Web est (incluant la version) : nginx/1.26.3 (Debian stable)

Le système d’exploitation sur mon serveur Web s’est (version incluse) : Debian stable à jour

Mon hébergeur, le cas, est : auto hébergement, y compris le dns

Je peut me connecter à un shell root sur ma machine (oui ou non, ou je sais pas) : oui

J’utilise un utilisation de panneau configuration pour gestionnaire mon site (non, ou fournit le nom et la version du panneau de configuration) : non, gestion par moi même .

Descriptif de mon "problème":
J'ai un certificat qui fonctionne, avec plusieurs références : www.suinot.org, mastodon.suinot.org, mail.suinot.org ... dans le même certificat.
Est-il possible (souhaitable?) de dissocier le certificat pour mail.suinot.org .
J'ai des soucis avec quelques applications , et je suspect les applicatifs de ne pas arriver à trouver mail.suinot.org au milieu des autres noms de domaine :

Trouvé dans le certificat sur ma page web:

Validité :

Pas avant Sun, 29 Mar 2026 15:07:34 GMT Pas après Sat, 27 Jun 2026 15:07:33 GMT

Noms alternatifs du sujet:

Nom DNS imap.suinot.org Nom DNS mail.suinot.org Nom DNS nextcloud.suinot.org Nom DNS webssh.suinot.org Nom DNS www.suinot.org

Merci pour vos avis.
R. Suinot.

MikeMcQ · March 30, 2026, 2:02pm

You do not need to "unlink" the mail domain from your existing cert. For a test you could make a new cert with only the mail subdomain in it. Reconfigure your mail service to use that cert. If that solves the problem you can later remove mail name from your other cert.

How you do this depends on which ACME Client you use to get the cert. Let us know and we can give further advice.

There are some apps that still use the Common Name in the certificate even though it has been deprecated for decades. A cert with only the mail subdomain in it will also have that name in the Common Name field. Other than that the cert will be the same. I see your existing cert is RSA so be sure to keep that for your new cert too. Some ACME Clients default to issuing an ECDSA cert.

rsuinux · March 30, 2026, 6:38pm

@MikeMcQ
Thanks for your answer
My current version of certbot:

/usr/bin/certbot --version
certbot 4.0.0

How can I differentiate between my current certificate
live/suinot.org-0001/ and the one generated for the mail server?

Cordialement.
R. Suinot.

MikeMcQ · March 30, 2026, 6:42pm

Start by showing us the output of
/usr/bin/certbot certificates

rg305 · March 30, 2026, 7:59pm

latest is:
certbot 5.4.0

rsuinux · March 31, 2026, 7:25am

/usr/bin/certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: suinot.org-0001
    Serial Number: 6d4ce2dd3ce1677e825f6b641139a4c7845
    Key Type: RSA
    Domains: imap.suinot.org mail.suinot.org nextcloud.suinot.org webssh.suinot.org www.suinot.org
    Expiry Date: 2026-06-27 15:07:33+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/suinot.org-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/suinot.org-0001/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My version of Certbot is outdated! Amazing!
Debian:

apt search certbot | grep install

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

certbot/stable,stable,now 4.0.0-2 all [installé]
python3-certbot/stable,stable,now 4.0.0-2 all [installé, automatique]
python3-certbot-nginx/stable,stable,now 4.0.0-2 all [installé]

hebbet · March 31, 2026, 10:13am

have a look at the Certbot Instructions

MikeMcQ · March 31, 2026, 1:32pm

rsuinux:

/usr/bin/certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: suinot.org-0001
    Serial Number: 6d4ce2dd3ce1677e825f6b641139a4c7845
    Key Type: RSA
    Domains: imap.suinot.org mail.suinot.org nextcloud.suinot.org webssh.suinot.org www.suinot.org

Create a cert with only the mail subdomain in it. Use the same command you used originally to get the cert with all those names. Add a --cert-name X option and the --key-type as in this example. The --nginx option may work but if you used some other option (like --webroot/-w) use that instead.

/usr/bin/certbot certonly --cert-name mail.suinot.org --nginx -d mail.suinot.org --key-type rsa

If that works you will see the path to this cert using /usr/bin/certbot certificates

Use that path and configure your mail service to use that path.

rsuinux · March 31, 2026, 2:06pm

Thank you for your help!

First, I updated Certbot.

/usr/local/bin/certbot --version
certbot 5.4.0

And with your help, I created the certificate for mail.suinot.org.

Thank you so much.

I'm closing this thread.

R. Suinot.

Topic		Replies	Views
A little help please Help	39	1280	January 31, 2023
Use two certificates and two servers with a domaine and sub-domain? Help	7	797	May 17, 2019
Domain and sub-domains problem Help	24	1364	August 7, 2019
Missing subdomains from certbot created certificate Help	8	2266	February 20, 2022
Adicionar subdominio em configuração já realizada Ajuda (em português)	13	1890	August 26, 2020

Créer un second certificat malgré un premier déjà créé

Validité :

Noms alternatifs du sujet:

Related topics