--expand option seems to take over all certs


#1

I have a VPS, it is set up to auto-renew using a cron job - and works fine. It is running Drupal 7 with multisite and domain access. It is also the nameserver for all domains, and I control the nameserver files. I am running Apache and not NGINX with the latest certbot. The server is running PHP-FPM. The Main domain has a commercial wildcard certificate for sub-domains under the Main domain. Under multisite - I am using letsencrypt certificates for the full domains under domain access. The ssl.conf file uses the wildcard 443 port setup > *:443 and they were all working fine - until . . . I tried to add a mail subdomain to one of the domain access domains.

Using the command
certbot --expand -d domain.com -d mail.domain.com -d www.domain.com

The command succeeded; and it issued a new certificate - however it took over all the other domains, and in the browser only that domain would load - and all the other gave the mis-configuration error saying the certificate belonged to domain.com

I revoked the certificate and deleted it with:
certbot revoke --cert-path /etc/letsencrypt/live/domain.com/cert.pem

After fighting with the ssl.conf and http.conf files to get Apache restarted because of the certbot changes and deleting the ssl configuration section for the domain.com, by copying it to a text file for holding so that I temporarily took out the domain.com ssl configuration, I got Apache restarted and . . .

I used the command
certbot certonly --cert-name domain.com

and then manually added the subdomains to the next certbot line question; which successfully got me a new certificate - including the mail subdomain and then I manually put the ssl configuration for that domain access domain back in the ssl.conf file and the server restarted operating properly with the new modified certificate that includes the mail subdomain.

Is this a known bug or did I do something outside of the operating norms - the certs have been auto-renewing fine - until I manually tried to add the mail domain.

Are there any suggestions or taboos I should know about ??


#2

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.