Expanding existing certs created with --webroot

FoTo50 · April 14, 2017, 1:02pm

I have already manually created successfully certs with e.g.:

./certbot-auto certonly --webroot -w /somewhere/ -d maindomain -d domain2 -d domain3

Now I’ld like to expand this existing cert with e.g. domain4 and domain5

I tried with

./certbot-auto certonly --expand --webroot -w /somewhere/ -d maindomain -d domain4 -d domain5

But this will create a new cert in the folder maindomain-0001 valid only for maindomain, 4 and 5.

Do I ALWAYS have to add all “old” domains containing an existing to expand or did I miss something?

In practice I expect this cert to contain 50 to 60 domains after some time, which would cause a quite “long” command line

Thanks for any hints

peterthomassen · April 14, 2017, 1:33pm

Check out --cert-name: https://certbot.eff.org/docs/using.html#managing-certificates

schoen · April 14, 2017, 5:11pm

Yes, every single one. The idea is that this is a way of selecting a certificate. You could have many different certificates with slightly different combinations of names and so the rule is that you have to mention all of the domain names in order to select one this way.

The --cert-name option which @peterthomassen mentioned is an alternative, which directly selects a particular one based on its name, not its contents. --cert-name didn't exist in older versions of Certbot and so some documentation may not suggest its use. If you want to find out the names you can use with --cert-name, you can run certbot certificates.

FoTo50 · April 15, 2017, 4:12pm

Thanks for pointing me to this parameter, but still:

If I e.g. use

./certbot-auto certonly --webroot --expand --cert-name name-of-certificate -w /somewhere/ -d newdomain

it will ask me to [U]pdate and if yes, replace the cert with only newdomain instead of expanding it. So if I understand correct, I will not be able to avoid to add all domains to the command (afaik currently up to 100), right?

schoen · April 16, 2017, 9:47pm

Oh yeah, I didn’t think that part through. The Certbot command line always requires to you specify a complete list of the domains that will be covered by the new requested certificate. Using --cert-name doesn’t change that part of the behavior.

system · May 16, 2017, 9:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.