Expand EV CA certificate with certbot

skabaw · February 16, 2017, 3:29pm

I have EV certificate for CA for my main domain.com and I want to add (expand) domain1.com,domain2.com
Technically, domain.com is ServerName and domain1.com,domain2.com are ServerAlias-es. I don’t need EV for expanded domain but only DV, because domain1.com,domain2.com are deprecated domains and I do redirect 301 to domain.com.
This worked fine before with http but not with https anymore.
I have already generated keys for domain1.com,domain2.com (alltogether). What should I do?

Add new keys to the old keys in the same Apache configuration?
or
Run certbot again and expand the domain.com CA certificate with extra new domains.

Please note that in future I will keep renewing domain.com with CA, while I would like to renew extra domains with certbot.

jmorahan · February 16, 2017, 5:19pm

What you should do is remove those ServerAliases from your main VirtualHost, and place them in a separate VirtualHost (in a separate configuration file) with one as the ServerName and the other as ServerAlias. Then configure that VirtualHost to use the certificate and key that you generated for those two domains.

So, something like this:

<VirtualHost *:443>
  ServerName domain1.com
  ServerAlias domain2.com
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/domain1.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/domain1.com/privkey.pem
  Redirect permanent "/" "https://domain.com/"
  # ... etc
</VirtualHost>

I’d suggest manually testing certbot renew --dry-run after that as well, to make sure it picks up the new configuration correctly.

jmorahan · February 16, 2017, 7:34pm

I should also point out (in case it’s not clear from the above) that you can’t use certbot to “expand” an EV certificate. Any certificate you get from certbot / Let’s Encrypt will be a DV certificate. So what you want is to keep your existing EV certificate for the main domain, and generate a separate DV certificate for the redirecting domains (which, as I understand it, you’ve already done).

skabaw · February 17, 2017, 8:56am

Thanks jmorahan. Now evertything is done. All I need to do now is start cron to do renew.

skabaw · February 17, 2017, 9:59am

Yet another question. I tried “certbot renew --dry-run” and it failed.with:
Invalid response from http://domain1.com/.well-known/…

There are two possible causes:

It’s doing a permanent redirect to https://domain.com/.well-known/… and fails.
Since HSTS is set, does not accept http.

I could exclude the above /.well-known/ directory from redirect, but I still wonder if this the real source of problem?

jmorahan · February 17, 2017, 10:19am

It’s not 2, the validation ignores HSTS. Could be 1. The full error message would help determine if that’s the case. Or you could just try excluding .well-known from the redirect and see if it works.

skabaw · February 18, 2017, 11:14am

You won’t believe what was the actual source of problems. I have multiple virtual hosts on a single IP (not only different domains redirecting to the target one). For historic reasons, some of these virtual host were designated as *:port, and other as IP:port. Apparently, this caused a confusion to Apache. The problem was eventually resolved by unifying the designation (namely, setting specific IP for each virtual host). Now the dry-run certbot renewal runs fine.

I did a research to find out what does actually mixing asterisks and IPs for single IP mean, but didn’t find the answer.

system · March 20, 2017, 11:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.