I own domain X.Y. Under that domain I also have www.X.Y that my current cert covers. Now I need to expand that cert to cover mail.X.Y. But when I run --expand it wants mail.X.Y to respond over HTTP which I am not able to provide. How can I have the cert expand to include mail.X.Y?
If you expand a cert, it will generally try the same authentication method for all the names.
That said, not all ACME clients are created equal.
Some may authenticate different names differently.
That said, why do you need the mail name in that same cert?
Why not just give it its' own cert?
To answer the question of how - without an HTTP listener, you would have to use DNS authentication [OR get creative].
5 Likes
What is your definition of "it's"
A separate cert for just that one FQDN.
Cert #1: domain + www.domain
Cert #2: mail.domain
[they are free here]
5 Likes
That goes back to my original question: if certbot requires an HTTP response from a subdomain, but that subdomain does not respond over HTTP, then how can I get a cert for it?
1 Like
There are 3 ways to authenticate:
- HTTP
- DNS
- TLS-ALPN
5 Likes
Oh, great! So, I read this: User Guide — Certbot 2.11.0 documentation
It says:
You can use the
--preferred-challengesoption to choose the challenge of your preference.
But what should the command for expanding a cert to mail. be, when using a DNS challenge? Is it this:
certbot --expand -d XY -d mail.XY --preferred-challenges dns
That might make all of the names use DNS authentication...
[not sure]
Again:
Do all three names [you forgot to list the "www" in your sample command] resolve to the same IP?
3 Likes
The IP is the same.
Then using HTTP authentication may be simpler than you think.
[and you can expand it in there]
Which web server are you using?
4 Likes
Apache on Windows Server
Simple:
- Add an HTTP vhost for the mail name.
[be sure NOT to point it to a root directory that has anything in it - just use an empty folder] - Use certbot to obtain a cert for the mail name [or expand the current cert to include it]
5 Likes
And you have not answered this question...:
4 Likes
To manage 1 cert, not several.
The ACME client [certbot] manages the certs for you [automagically].
It makes little difference - one cert OR one hundred certs.
3 Likes
And what, do you think, puts the cert on the mailserver? certbot? No, it does not. I do.
You wil have to put one cert into the mail server no matter what names it contains.
[which you should find a way to automate that step]
It might be able to learn how to...
But you would have to be a really good teacher.
OR
You could switch and use a real Windows ACME client...
5 Likes
Thanks for nothing.
W T F?
Are you really NOT happy with the FREE service I've provided you?
You sound very ungrateful...
5 Likes
The EFF has dropped support for Certbot on Windows in Feb of this year. You should not rely on it for new setups. It was never the best ACME Client on Windows anyway. Something like Certify the Web is probably the easiest.
See EFF's announcement here along with suggestions
5 Likes