Expand an existing certificate to add wildcard


Hi, I created a certificate in the standard way, for apache:

sudo certbot --apache

Later, I expanded the cert to include another domain, and a subdomain:

sudo certbot certonly --cert-name dev.co-brand2.com -d dev.co-brand2.com,co-brand2.com,cobrand2.com,new.cobrand2.com --preferred-challenges http

Then, I realized I would rather have wildcard subdomains for this server, and just host all subdomains of cobrand2.com, and co-brand2.com.

I looked at some tutorials on wildcard subdomains, and it looks like there may be a specific way they need to be set up in the beginning. So my question is, is there a way to expand, or re-configure, my existing certificate so that it accepts wildcards?

Or, do I need to remove these certificates and start all over?

My domain is: cobrand2.com

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


Well, there are a couple considerations. First, you need to use the DNS challenge type for wildcards, so the --preferred-challenges http option isn’t going to work for you. Second, I’m not sure “expanding” the certificate is what you want. You can’t have a certificate with overlapping names, so attempting to have both *.co-brand2.com and dev.co-brand2.com on one certificate will fail. As such, you really just want to make a new wildcard certificate. Do bear in mind that the base domain is not included in a wildcard, so you might want to add this as an additional name.


Thanks for the reply. Let’s say I change the method to dns, remove cobrand2.com, and just add *.cobrand2.com. Can I run:

sudo certbot certonly --cert-name dev.co-brand2.com -d dev.co-brand2.com,cobrand2.com,*.cobrand2.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

And, as of now, September 2018, is it necessary to add all the extra flags, in order to user wildcards?


I ran the above command and got “None of the preferred challenges are supported by the selected plugin”


I don’t believe certonly can handle this yet. You’ll need to either use the manual plugin and update the DNS record manually (or with a hook script), or install and use a plugin that can integrate with your DNS provider. Do you know if they have an API? This is the one disadvantage of the DNS challenge, it relies on your DNS provider.

Now, it is possible to use acme-dns, written by another community member, to handle this. In that case, you’re manually adding a CNAME record once, and then updating the endpoint via API. In this case, you would use manual with the --manual-auth-hook provided by acme-dns-certbot.


Alright, I’ll just start with a new cert and follow one of the tutorials online. Thanks.


In Certbot concepts, certonly isn’t an authenticator plugin, it just means “don’t use an installer”.

Authenticators include --manual, --webroot, --apache, etc. The only authenticators that can be used for wildcards are those that are capable of DNS-01 challenges, which basically means --manual (hopefully with an auth-hook!) or the DNS plugins. But you can still use all of those with the certonly subcommand.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.