I created a certificate for darksteve.tk back in 2016. The certificate currently contains three domains, darksteve.tk, cloud.darksteve.tk, and mail.darksteve.tk.
I now want to add sync.darksteve.tk to the certificate (I’m planning on running my own Pale Moon sync server on a Raspberry Pi). Unfortunately the documentation for certbot is rather poo.
Should I use “–expand”? The documentation thinks I shouldn’t, and thinks I should use “–cert-name” instead. But nothing in the documentation explains how I’m to provide the authentication method.
I can’t remember the exact command I used back in 2016 to create the certificate, but I know I used certonly and webroot. The server is running FreeBSD and I have ssh and root access. I renew using “certbot-2.7 renew” via cron. (Currently using Certbot version 0.36.)
I want to authenticate sync.darksteve.tk using webroot as well, so what command should I use to expand my current certificate? Do I need to provide authentication info for every domain, or just the new one I’m adding? Could somebody provide an example command? I don’t want to accidentally kill my existing certificate in a clumsy attempt to add a domain!
First, it gave an error and dropped out with the message: Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
Once I added certonly (certbot-2.7 certonly -d darksteve.tk -d mail.darksteve.tk -d cloud.darksteve.tk -d sync.darksteve.tk --cert-name darksteve.tk), it initially seemed to work. However it complained it didn't know how to authenticate, even though I'd added the "sync" line under the webroot map in my conf.
It gave me the option of using webroot, so I took it. I needed to manually re-enter the webroot path, but that was no big deal. It then confirmed:
You are updating certificate darksteve.tk to include new domain(s):
+ sync.darksteve.tk
You are also removing previously included domain(s):
(None)
Did you intend to make this change?
I chose to update, and everything appeared to work. I then re-checked my certificates, and it gave the output:
Found the following certs:
Certificate Name: darksteve.tk
Domains: darksteve.tk cloud.darksteve.tk mail.darksteve.tk sync.darksteve.tk
Expiry Date: 2019-10-19 14:32:06+00:00 (VALID: 89 days)
Everything seemed great until I checked my renewal conf, and it had removed all my existing domains and replaced it only with the sync domain!
I've now re-added my original domains back into the conf, and hopefully everything will go well when I renew in a couple of months
Yes! I'm glad you mentioned it as step one, otherwise I probably would have forgotten!
I actually prefer having everything in one place, especially for a domain and it's subdomains. I may add another domain (as opposed to a subdomain) in the future, in which case I will create another certificate. Having subdomains in the same cert as the parent domain has been really handy in the past, especially with my mail (roundcube/postfix/dovecot).
I didn't realise I'd updated only days ago, or that it might impact my new domain addition. I'm glad it ultimately worked! Thanks for the advice, now I'm off to bed. It's 2:30am here in Eastern Australia, and I have to get up for work in four hours!
