a) how do I get listed the new hosts in the certbot list to get their numbers for the certbot input? From where does certbot retrieve them?
b) should I create a separate certificate for these two hosts?
c) how can I tell whether I can use --apache as a command line argument for certbot
or whether I should use --standalone.
When you're using the --apache authenticator, certbot gets the hostnames from your existing virtual hosts. Thus, if you're going to be providing web services for those other two hostnames, just create virtualhost files for them for Apache, and certbot will pick them up. Otherwise, you can just list them on the command line with -d host1.yourdomain -d host2.yourdomain.
That's entirely up to you. Let's Encrypt allows up to 100 names on a cert, so you're well under any limit there.
You should only use --standalone if you aren't running any other web server--the --standalone authenticator needs to bind to port 80, which your web server will already be using. The alternative to --apache for you would be --webroot, which will place the challenge files into a directory you specify. If you're using Apache as your web server and the --apache authenticator has been working for you, I'd continue using it.
That version is very old; certbot is currently at 2.6.something IIRC. You'd probably need to use snap to install a more recent version on your version of Ubuntu, but you should seriously consider upgrading to something more recent.
Thanks. Understood so far. Regarding the old version I'm running:
root@mail:~# apt-get install certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
certbot is already the newest version (0.31.0-2~deb10u1+ubuntu18.04.1+certbot+3).
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
root@mail:~#
Problem is, that the machine is still a 32bit version and I'd have to move everything to a 64bit platform which is due, of course.
After having installed the new VirtualHosts host1.mydomain.de and host2.mydomain.de suddenly the host https://mydomain.de also issues the new certificate and since that certificate is only for host1 and host2 there is a
SSL_ERROR_BAD_CERT_DOMAIN error.
Question: When I want to make certbot "forget" the recently acquired certificate, is it just enough to delete the directory /etc/letsencrypt/live/recent.domain and archive?
Or is it burried somewhere else? And also revert the VirtualHost entries?
There is also a file in /etc/letsencrypt/renewal which needs to be deleted.
The safest thing is to use certbot delete with --cert-name specified (assuming that already existed as of 0.31). Removing the HTTPS-specific virtualhosts is also necessary.