How can I add more subdomains to my SSL Certificate?


#1

Hello,

When I installed Lets Encrypt SSL Certificate on my server I followed this tutorial: https://www.tecmint.com/install-free-lets-encrypt-ssl-certificate-for-apache-on-debian-and-ubuntu/ the tutorial is great and worked like a charm but, now I am dealing with a problem because on this tutorial it teaches to create certificate for mydomain.com and www.mydomain.com but, I need to create at least one more subdomain for my CDN so, it can use something like cdn.mydomain.com How can I do this on same certificate or is a way to make this certificate wildcard like *.mydomain.com?

Please help!


#2

Let’s Encrypt doesn’t offer wildcard at the current time.

If you’re using a new enough version of certbot (formerly letsencrypt), you can run the exact same command you did but add the extra domain at the end and include “–expand” in the command so it will re-use the existing certificate directory. You can find out more at https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates

Alternately, if you’re using an older version of certbot, you can use the --cert-name parameter to force the overwrite of the existing certificate you got. See https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains for more information.

Of course, you can always just make a new certificate for the cdn subdomain.


#3

Hey motoko,

Thanks a lot for the fast reply, but my question is if I create a new certificate for cdn, when crontab renews my current certificate would renew both or what I need to do for that to happen?

Thanks again!


#4

If you’re using “certbot renew”, then all certificates the system knows about should be renewed cleanly.

Keep in mind that the method you used to initially acquire the certificates will be re-used in that case, so if you used the “standalone” method, you’ll probably need to run some scripting to do things like stop your web service to make sure the standalone service can run properly. If you used something like webroot, then you usually don’t need to do more than make sure the web service is signaled to re-read the certificate files.


#5

Hi @codeman1234,

@motoko already explained how it works and your alternatives so I just want to answer this question:

The easy way and following the same approach as the doc you pointed out, the first thing you should check is the cert name, the one which have your 2 domains mydomain.com and www.mydomain.com

cd /usr/local/letsencrypt 
sudo ./letsencrypt-auto certificates

This command will give you a list of the certificates you own, something like this:

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: sub.example.com
    Domains: sub.example.com
    Expiry Date: 2017-08-07 17:28:00+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/sub.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/sub.example.com/privkey.pem
  Certificate Name: mydomain.com
    Domains: mydomain.com www.mydomain.com 
    Expiry Date: 2017-08-07 18:24:00+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mydomain.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mydomain.com/privkey.pem
-------------------------------------------------------------------------------

Here are 2 certificates, you should pay attention to the Domains, the certificate that has your 2 domains and remember the Certificate Name you see in that output, in this case, the Certificate Name is mydomain.com. We will use this name to expand or new certificate containing the cdn domain.

So, if you issued your first cert containing both domains like this:

cd /usr/local/letsencrypt
sudo ./letsencrypt-auto --apache -d mydomain.com -d www.mydomain.com

Now you should add the parameter --cert-name using the Certificate Name that we saw above and the new domain

cd /usr/local/letsencrypt
sudo ./letsencrypt-auto --apache --cert-name mydomain.com -d mydomain.com -d www.mydomain.com -d cdn.mydomain.com

And letsencrypt-auto will ask if you want to update the certificate:

-------------------------------------------------------------------------------
Confirm that you intend to update certificate mydomain.com to include domains
[u'mydomain.com', u'www.mydomain.com', u'cdn.mydomain.com']. Note that it previously
contained domains [u'mydomain.com', u'www.mydomain.com'].
-------------------------------------------------------------------------------
(U)pdate cert/(C)ancel: U

Just answer U to update and wait till the new cert is issued and you will have a new cert containing the 3 domains in the same place as the previous one.

Just in case, always backup /etc/letsencrypt/ just in case ;).

I hope this helps.

Cheers,
sahsanu


#6

You can also avoid this question by adding --expand to the command line.


#7

So, please correct me if I am wrong but, for what you say sahsanu, the best solution is just to reissue the certificate I have and add cdn.mydomain.com so, new certificate would have main domain with 2 subdomains by adding the parameter --cert-name, correct?


#8

Can you please elaborate on that since I am still on learning curve :innocent:


#9

So, best option is what sahsanu says to reissue certificate I have and add one more domain to it correct? Also if I may ask is the tutorial I mention good? Because I have to say was pretty easy to follow.


#10

[quote=“codeman1234, post:9, topic:33711, full:true”]
So, best option is what sahsanu says to reissue certificate I have and add one more domain to it correct?[/quote]

Yes. If you just add more domain names to your certbot-auto command line with -d, you will should get a new cert that covers all of the names you specify, and (assuming that you also included all of the names from the old cert), Certbot should replace the old cert with the new cert.

There is no serious inaccuracy but letsencrypt was renamed to certbot more than a year ago, and we don’t really recommend the git clone method of getting the Certbot code.

Some ways that we do recommend are described at https://certbot.eff.org/ and vary by operating system.


#11

Thanks for the explanation schoen, helps me a lot to learn how lets encrypt works, I have donde the following command as sahsanu said: “sudo ./letsencrypt-auto --apache --cert-name mydomain.com -d mydomain.com -d www.mydomain.com -d cdn.mydomain.com” and when I did it I got asked to Update Certificate for all 3 domains which I did but still when I try “https://cdn.mydomain.com” browser shows me that is an insecure connection because certificate is not installed on this subdomain. So, what is the problem, do I need to wait some time for new certificate to propagate like happens with DNS for example or what I am missing?

Thanks again!


#12

Hi @codeman1234, there is no such thing as a certificate propagation delay. This is a web server configuration issue; either your web server needs to be restarted (to adopt the new configuration) or you need to edit the web server configuration files to tell Apache to use the new certificate for cdn.mydomain.com.


#13

Hello schoen, thanks for the tip, because some hosting supports has used that excuse on me and I thought was true because of that. Did I miss something on command? because still shows me no secure connection on that subdomain.

Thanks!


#14

If you tell us what the domain name is, we can check whether it’s been issued. Or you can check for yourself on https://crt.sh/.

If it was issued but is not being used for your site, then you need to edit Apache configuration files in order to activate it appropriately for the domain name.


#15

Hey schoen,

I check domain and for what I saw seems right, can you check it to on your end and let me know what you think, domain => ithinkreviews.com also is showing Comodo SSL I was using before on older server. Let me know if I need to correct anything please!

Thanks!


#16

As of now, it does look right to me. I see your valid Let’s Encrypt certificate being used on https://ithinkreviews.com/, https://www.ithinkreviews.com/, and https://cdn.ithinkreviews.com/. (The first and last of these send a redirect but I used openssl s_client to see what the certificate that was sent before the redirect was.)

You might also want to check with https://www.whynopadlock.com/ to get rid of the browser warnings about mixed content on that page.


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.