Extending a LE cert

My domain is:

I ran this command:

It produced this output:

My web server is (include version): apache2.4

The operating system my web server runs on is (include version): "Ubuntu 18.04.6 LTS"

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

I'm running an LE cert for domains
imap.mydomain.de, mail.mydomain.de, post.mydomain.de, smtp.mydomain.de, mydomain.de, www.mydomain.de and would like to extend it by two other hosts.

a) how do I get listed the new hosts in the certbot list to get their numbers for the certbot input? From where does certbot retrieve them?
b) should I create a separate certificate for these two hosts?

c) how can I tell whether I can use --apache as a command line argument for certbot
or whether I should use --standalone.

When you're using the --apache authenticator, certbot gets the hostnames from your existing virtual hosts. Thus, if you're going to be providing web services for those other two hostnames, just create virtualhost files for them for Apache, and certbot will pick them up. Otherwise, you can just list them on the command line with -d host1.yourdomain -d host2.yourdomain.

That's entirely up to you. Let's Encrypt allows up to 100 names on a cert, so you're well under any limit there.

You should only use --standalone if you aren't running any other web server--the --standalone authenticator needs to bind to port 80, which your web server will already be using. The alternative to --apache for you would be --webroot, which will place the challenge files into a directory you specify. If you're using Apache as your web server and the --apache authenticator has been working for you, I'd continue using it.

That version is very old; certbot is currently at 2.6.something IIRC. You'd probably need to use snap to install a more recent version on your version of Ubuntu, but you should seriously consider upgrading to something more recent.


Thanks. Understood so far. Regarding the old version I'm running:

root@mail:~# apt-get install certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
certbot is already the newest version (0.31.0-2~deb10u1+ubuntu18.04.1+certbot+3).
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

Problem is, that the machine is still a 32bit version and I'd have to move everything to a 64bit platform which is due, of course.

After having installed the new VirtualHosts host1.mydomain.de and host2.mydomain.de suddenly the host https://mydomain.de also issues the new certificate and since that certificate is only for host1 and host2 there is a

Question: When I want to make certbot "forget" the recently acquired certificate, is it just enough to delete the directory /etc/letsencrypt/live/recent.domain and archive?

Or is it burried somewhere else? And also revert the VirtualHost entries?

There is also a file in /etc/letsencrypt/renewal which needs to be deleted.

The safest thing is to use certbot delete with --cert-name specified (assuming that already existed as of 0.31). Removing the HTTPS-specific virtualhosts is also necessary.



certbot delete

worked. It gave me a neat choice which one I wanted to delete (by number).

So all is fine now and I can start over.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.