Help me understand renewal config


When I request a new certificate I use -d -d
I would like to get these values again when I renew via some automation I am creating. However, I have noticed that the .conf in the renewal folder for the particular domain does not hold both of values. It simply holds,

Why is this? And, if I don’t include both names in the renewal isn’t the certificate going to be wrong?


I’ve found my /etc/letsencrypt/renewal/*.conf still contain details of the staging certificates I created rather than the details of the live certificates I replaced them with, so basically my renewal confs are all wrong. I did find a relevant github issue raised for it but I can’t find it now.

Until the renewer is ready my renewal script get the domains from the live certificates in a bash script like so:

# given a certificate file returns "domain1,domain2"
function getDomains() {
        openssl x509 -text -in "$1" |
        grep -A1 "Subject Alternative Name:" | tail -n1 |
        tr -d ' ' | tr -d 'DNS:'

domains=$(getDomains $path_to_cert)

then I use --domains=$domains switch rather than separate -d switches.