Does wildcard cert amendment require all-new acme records?

From what I’ve read, if I want to amend an existing certificate that has wildcard subdomains, I have to enter all-new acme challenges into my DNS records. Certbot certainly prompts me to do this.

Is this correct? If I add a domain to an existing cert with wildcard values, do I need to edit all the acme values for all other domains?

2 Likes

Did you previous also use the DNS challenge? Not sure if it’s important, but good to know if it is.

Validations are currently valid for 30 days. So if your previous certificate was issued more than 30 days ago, you’ll need to re-validate every hostname again. If a hostname was validated less than 30 days ago, it shouldn’t be necessary to re-validate that hostname. Only new hostnames should require validation.

3 Likes

If you have a cert that contains for example *.sub1.example.com and *.sub2.example.com and you want to add *.sub3.example.com, you will need to answer a challenge for that new name unless you had previously validated it on another cert from the same ACME account within the past 30 days. You’ll also need to validate the challenges for the original two names if it has been more than 30 days since their original validation.

3 Likes

As other folks here have said, yes, in most cases you’ll need to put fresh values in the TXT records for all your domains.

But I’d definitely recommend finding a DNS provider that has an API, and automating update of those TXT records. That way you can have automated renewal and less chance of downtime. It will also make adding and renewing hosts easier.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.