Domain mutations

Hello Let’s Encrypt operators

First thanks for your great service which I currently am using for some single sites (currently sites without alias).

First a basic question: Assume a virtual host like

<VirtualHost *:443>
  ...
   ServerName wwwsec.example.com
   ServerAlias example.com www,example.org example.org
</VirtualHost>

So am I right to generate the needed certificate using

letsencrypt-auto --apache -d www.example.com -d example.com \
-d www.example.org -d example.org

i.e. the main CN as the first “-d” option then all alias names?

Note: I use “apt-get install letsencrypt” in Debian Linux.

And now the more complex questions: Typical site changes and the needed steps on Let’s Encrypt level.

Case 1: Assume that example.org is not longer needed (canceled by the regstrar, got some new DNS servers or similar), i.e. the site is changed as

<VirtualHost *:443>

ServerName wwwsec.example.com
ServerAlias example.com

So what are the correct steps to update the certificate accordingly? And is there an e-mail notification telling “From: expiry@letsencrypt.org - You are not longer authorized to issue certificate for example.org” (this is important since I cannot watch every domain’s status permanently!)

Case 2: Extending existing certificate: Assume that example.net has been registered.

<VirtualHost *:443>

ServerName wwwsec.example.com
ServerAlias example.com www.example.net example.net

Case 3: Completely delete a site and it’s certificate.

Case 4: Transfer a site to a new hoster also using Let’s Encrypt: Beware that the new (or old) hoster has a separate ACME account. So the question is: Do I have to export something from the /etc/letsencrypt folder or simply can the new hoster generate a new certficate as soon as the DNS servers are updated?

Thanks for any answers in advance.

1 Like

It's best to follow the installation instructions for your platform from https://certbot.eff.org/ . Otherwise, it's possible you can end up with a very old version of Certbot.

First, figure out what your certificate's name is, by looking at:

letsencrypt certificates 

Then, you can redefine the certificate, overwriting the old with with a new one:

letsencrypt --apache --cert-name <certificate name> \
-d example.com -d wwwsec.example.com -d new.example.com

This covers both case 1 and 2.

Certbot won't delete an Apache site for you. You need to delete it yourself.

Once that's done, you can delete the certificate:

letsencrypt certificates
letsencrypt delete --cert-name <name of certificate>

Don't move anything. Just create new certificates on the destination host.

You will only receive notifications about certificates that are approaching expiry. It won't notify you that individual problems with individual domains. But the expiry email would implicitly alert you to problems with individual domains.

Hello _az

Thanks für your answer. So for any kind of domain mutations I have to use the appropriate letsencrypt-auto sub command.

So assume the following case:
<VirtualHost *:443>

ServerName wwwsec.example.com
ServerAlias example.com www.example.org example.org

Now, example.com gets cancelled, so
<VirtualHost *:443>

ServerName www.example.org
ServerAlias example.org

remains. Question: Ist this correct that I first have to completely delete the certificate for example.com (with all aliases) using letsencrypt delete and the create a new certifacate with common name example.org (and the remaining aliases)?

Thanks for your replay in advance.

Since the VirtualHost refers to the existing certificate file, deleting it will make your Apache configuration invalid unless you first delete the VirtualHost.

You could also use

certbot certonly --cert-name wwwsec.example.com -d www.example.org -d example.org

to replace the certificate in the same place on disk with a new one covering only the example.org names. This approach might be confusing because the certificate’s name as used by Certbot would refer to a name which the certificate no longer covers.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.