Expands not working on pre-existing cert requests

First of all, thanks for the service - it is Really Something !

Expand type renewals seem to be broken for me on my server since the recent release.

I have tried the --force-renewal ‘trick’ I saw someone else mentioned a while back, but that doesn’t seem to work either. certbot-auto detects the changes, asks me to Expand or Cancel, I click Expand but the standalone server challenges are only checking the domains from the existing cert, and it delivers me a success result but the new domains are not present. If I rerun the exact same command a few seconds later, I get the exact same results.
When I try to send a new cert request with the same domains in the existing cert (no changes) the certbot detects this and exits without regenerating.

Here’s my config /etc/letsencrypt/cli.ini:

rsa-key-size = 4096
email = admin@example.com
authenticator = standalone
pre-hook = service httpd stop
post-hook = service httpd start
agree-tos = True
force-renewal = True
expand = True

command:

certbot-auto certonly -n --config /etc/letsencrypt/cli.ini --domains app1.example.com,app2.example.com,app3.example.com

What am I missing? Is there a new setting?

Additional information: the first 3 domains in the list are always the same, the remaining domains will fluctuate as settings flags in a source database change. I’ve noticed that the master cert seems to be saved under the first domain in the list and the challenges list that domain first as well, but the remaining domains are alphabetically sorted, but always the same list as what’s in the existing cert, not what is sent in the domains field.

I’ve also tried manually entering these values in cli.ini config file under domains = with the same results.

Hi @JolyonKB, are you using the new 0.10.0 Certbot release?

Would you mind posting a log file from your most recent expand attempt?

Hi @schoen, yes I am using 0.10.0, I noticed it just updated today.

I cannot post a log file without redacting the domain names which I think would defeat the purpose of log. I could email them to you if you prefer.

I am seeing the full new set of domains at the head of the log though, however none the subsequent challenge log entries include any of the newly listed domains, and they include domains that are not in the new list but are in the pre-existing certificate.

Here’s a redacted log, I changed our domain to example and abbreviated the subdomains from one of today’s attempts, I made no other changes. Note subdomains ri and mt are not found anywhere else except in arguments list at beginning of log.

nope… says new users cannot upload attachments. File size is 188K

Something I’m now confused about is whether your list of subject domains is strictly growing every time (which is an absolute requirement for --expand and --force-renewal with certificate selection using --domains). Is it possible that you have sometimes tried to get a certificate for a list of domains which excludes some domains that you previously got a certificate for?

If so, then you probably have several different certificates tracked within /etc/letsencrypt and are randomly adding domains to particular ones depending on the sequence of commands you’ve run. That might explain the confusion.

In particular, --expand literally means something like “I want a certificate that I already have that previously contained only some of these domains to be replaced with one that contains all of them”. (If you use --expand this way when any name in the prior cert is omitted from --domains, it will instead conclude that there is no existing certificate that can be “expanded” in this way and go on to create a completely independent cert!) If you wanted to ever remove a name, you need to use some of the new features based on --cert-name to specify which certificate to act upon.

Could this be the source of the problem?

I noticed exact the same issue as TS is having.

I just started using certbot today on Ubuntu 14.04, running apache2 as webserver.

To test how everything works with certbot and letsencrypt I used an old domain I’m not using in production environments.

What I did:

• Set up certbot as instruced (for Ubuntu 14.04)

Then I did
./certbot-auto --apache

Just followed the wizard and chose example.com as domain.

All worked as expected. I checked the newly created sites-available conf file for the ssl domain, all created files in /etc/letsencrypt and off course tested the ssl connection.

Next (to practice with certbot) I decided to add www.example.com to the certificate as SAN. I did the following:

• ./certbot-auto --apache
• used the wizard and selected example.com & www.example.com
• wizard asked me to Expand(E) or Cancel©
• I picked Expand
• All seemed fine

Then I checked https://www.example.com --> didn’t work due too Certificate Name mismatch.
Checked al the apache config files --> all seemed fine.
Did ./certbot-auto certificates --> only example.com listed as domains.

So, I decided to try it again, this time without the wizard:

• ./certbot-auto --apache -d example.com,www.example.com --expand
• Certbot notified me that example.com certificate already existed and that it would expand the certificate with www.example.com as SAN
• after certbot was finished, I checked all config files again and tested. --> not working

For some reason it seems I am not able to expand the existing example.com certificate, despite the fact that certbot says it did work.

I’m using the newest certbot, downloaded and installed today.

https://example.com is working great.
https://www.example.com isn’t working, it seems the certificate simply isn’t expanded to include www.example.com.

EDIT:
I checked the contents of cert.pem for example.com as follow:

cat cert.pem | openssl x509 -text | grep DNS

Output only shows:

DNS:example.com

This looks like a regression in certbot 0.10.0. I filed an issue here:

@schoen, No I don’t think that’s the case -several of the tests I ran were only adding domains to the existing cert, it was detecting the change and requesting a new cert but not adding the domains and only challenging the ones from the original cert.

Thanks @pfg for opening a ticket for this issue!

Can confirm the expand in the new version (0.10.1), which has been just released, works perfectly with new domains.

Since certbot-auto updates itself, it just needs to run again to update to 0.10.1 and expand the existing certificates.

Thanks for the amazing effort you are doing with Let’s Encrypt…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.