How do I add a domain to an existing certificate?

I created a certificate for darksteve.tk back in 2016. The certificate currently contains three domains, darksteve.tk, cloud.darksteve.tk, and mail.darksteve.tk.

I now want to add sync.darksteve.tk to the certificate (I’m planning on running my own Pale Moon sync server on a Raspberry Pi). Unfortunately the documentation for certbot is rather poo.

Should I use “–expand”? The documentation thinks I shouldn’t, and thinks I should use “–cert-name” instead. But nothing in the documentation explains how I’m to provide the authentication method.

I can’t remember the exact command I used back in 2016 to create the certificate, but I know I used certonly and webroot. The server is running FreeBSD and I have ssh and root access. I renew using “certbot-2.7 renew” via cron. (Currently using Certbot version 0.36.)

My renewal conf contains:
[renewalparams]
authenticator = webroot
rsa_key_size = 4096
account = [redacted]
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
darksteve.tk = /path/to/darksteve.tk/
mail.darksteve.tk = /path/to/roundcube/
cloud.darksteve.tk = /path/to/nextcloud/

I want to authenticate sync.darksteve.tk using webroot as well, so what command should I use to expand my current certificate? Do I need to provide authentication info for every domain, or just the new one I’m adding? Could somebody provide an example command? I don’t want to accidentally kill my existing certificate in a clumsy attempt to add a domain!

Hi @DarkSteve

the typical command you use: First interactive, then Certbot saves your input, later only “certbot renew”.

But you can use

certbot -d darksteve.tk -d mail.darksteve.tk -d cloud.darksteve.tk -d sync.darksteve.tk

to create one certificate with four domain names. But perhaps you have to tell certbot all webroot paths again.

So:

  • first make a backup of your config file and your existing certificates (/live and /archive).
  • then add the webroot of your new subdomain in your [[webroot_map]]
  • then find your certificate name
certbot certificates
  • then use that name:
certbot -d darksteve.tk -d mail.darksteve.tk -d cloud.darksteve.tk -d sync.darksteve.tk --cert-name certificate-name

So certbot should find the configuration and use the new definition of your subdomain.

2 Likes

Ah, I was wondering about that. I actually wanted to simply update my renewal conf but wasn’t sure that would be enough.

I just checked, and I only have the one certificate, and it’s under the name I expected. I’ll give your suggestion a go now!

Ok, it didn’t quite work as intended!

First, it gave an error and dropped out with the message:
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

Once I added certonly (certbot-2.7 certonly -d darksteve.tk -d mail.darksteve.tk -d cloud.darksteve.tk -d sync.darksteve.tk --cert-name darksteve.tk), it initially seemed to work. However it complained it didn’t know how to authenticate, even though I’d added the “sync” line under the webroot map in my conf.

It gave me the option of using webroot, so I took it. I needed to manually re-enter the webroot path, but that was no big deal. It then confirmed:

You are updating certificate darksteve.tk to include new domain(s):
+ sync.darksteve.tk

You are also removing previously included domain(s):
(None)

Did you intend to make this change?

I chose to update, and everything appeared to work. I then re-checked my certificates, and it gave the output:
Found the following certs:
Certificate Name: darksteve.tk
Domains: darksteve.tk cloud.darksteve.tk mail.darksteve.tk sync.darksteve.tk
Expiry Date: 2019-10-19 14:32:06+00:00 (VALID: 89 days)

Everything seemed great until I checked my renewal conf, and it had removed all my existing domains and replaced it only with the sync domain!

I’ve now re-added my original domains back into the conf, and hopefully everything will go well when I renew in a couple of months :slight_smile:

The problem may be, that your last certificate is only a few days old ( https://check-your-website.server-daten.de/?q=darksteve.tk#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-07-13 2019-10-11 cloud.darksteve.tk, darksteve.tk, mail.darksteve.tk - 3 entries
Let’s Encrypt Authority X3 2019-05-11 2019-08-09 cloud.darksteve.tk, darksteve.tk, mail.darksteve.tk - 3 entries

So there was no need to revalidate these domains again, a confirmed challenge is 30 days cached.

So creating a backup makes such things easy :wink:

Maybe it’s easier you have 4 different certificates, one per vHost / domain. So you can add and remove domains by adding and deleting certificates.

PS: There is a limit of max. 50 certificates per week per domain, but that’s not really relevant.

Yes! I’m glad you mentioned it as step one, otherwise I probably would have forgotten!

I actually prefer having everything in one place, especially for a domain and it’s subdomains. I may add another domain (as opposed to a subdomain) in the future, in which case I will create another certificate. Having subdomains in the same cert as the parent domain has been really handy in the past, especially with my mail (roundcube/postfix/dovecot).

I didn’t realise I’d updated only days ago, or that it might impact my new domain addition. I’m glad it ultimately worked! Thanks for the advice, now I’m off to bed. It’s 2:30am here in Eastern Australia, and I have to get up for work in four hours! :crazy_face: :sleeping:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.