certbot 0.31.0, ubunto 18.04.6
I gave "certbot --apache" and a list of possible domainnames is being offered.
Only the domains I want - mail.mysite.com, imap.mysite.com, smtp.mysite.com - aren't listed.
Is there a commandline for certbot to give all domainnames I want to get certificates for, by hand in the commandline (instead of the numbers from the dialog)?
I see that e.g. mysite.com and www.mysite.com are listed with corresponding numbers.
Can LE serve subdomains as well like mail.mysite.com when it serves mysite.com?
The --apache plug-in uses the HTTP challenge to get certs. It requires each domain name to respond on http (port 80). So, you could create a dummy VirtualHost for those names on port 80 and configure your mail server to use that cert location.
The apache plug-in will auto-configure an https VirtualHost for each name. So, either update that dummy VirtualHost to not respond with anything useful. Or, use the certonly webroot command with the dummy VirtualHost for your mail domains to avoid updating your apache config.
Or, use the DNS challenge. This topic about challenges may help
Please start by reviewing the vhost names being covered by
Apache, with the output of:
apachectl -t -D DUMP_VHOSTS
Thanks @rg305 and @MikeMcQ. The host in question has some certificates for web domains and runs apache. Would it be possible to "abuse" one of these domains using the --expand option and simply append the desired domains to the resp. certificate?
My other site doesn't run a web server but magically it works with certbot. I have mail.kukulies.org working and I have it configured for postfix in main.cf
##### TLS parameters ######
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.kukulies.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.kukulies.org/privkey.pem
I wonder now how I managed it for the latter site? Can I find out which challenge I'm using on that site?
Ah, I searched around a bit and found in /etc/letsencrypt/renewal/domain.org,conf a line:
server = https://acme-v02.api.letsencrypt.org/directory
Obviously I was using the acme challenge.
EDIT (again): It looks like using --expand worked for me by expanding an existing certificate
certbot --expand -d exists1.de,mail.mydomain.de,imap.mydomain.de,smtp.mydomain.de,www.mydomain.de,mydomain.de
I got a notification that the certs could not be installed since there were von vhosts of that name
but testing the cert file (fullchain.pem) revealed that the new domains were included.
But it turns out, that this kind of "piggy backing" a domain doesn't seem to work. The mailserver needs the common name to be the name of the mail server.
Can I revert the --expand command? I don't want to carry around too many (then actually unused) certificates.
Or how else can I get rid of certificates? Just revoke --cert-name?
Is it possible to fall back to the last but one certs of that domain I previously expanded?
EDIT: I was able to add a dummy VirtualHost with ServerName and ServerAlias(es) and use the plain certbot command and the comma separated list.
You shouldn't have to delete anything (at this point).
If you need a separate cert, then simply get another (separate) cert for that one name only.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.