How to add new subdomain to cert using ZeroSSL LE64.exe?


Windows Server 2019
ZeroSSL Crypt::LE client v0.31

If I create a new subdomain as a separate website on our server, do I just add it’s full domain name to the existing comma-delimited “- -domains” parameter, force a manual renewal, and everything will work like magic? Existing cert covers “” and “”. Just checking this so I don’t break anything on our server, it uses 6 month browser lock headers…gulp.


Hi @mushu

perhaps. I don’t use ZeroSSL. Does that client creates a new IIS binding with that certificate?

And does that client replace the current certificate?

You can create the website with port 80, then create a certificate (only with the name of the subdomain, without installation), then create a new https binding with that certificate.

Then it’s isolated from your current website with the www- and non-www certificate.

–> it’s more a question about your client then about Letsencrypt.


Sorry, I wasn’t very clear. Yes there are multiple parts to all of this. I’ve automated the entire cert renewal process for our existing website, and only adding a new website on the same server. I am thinking it will be fine, just wanted to verify so I don’t make a mistake and bring down the entire website. Yes, when i actually put the new website up and use the IIS console to configure it, i will bind this one cert to the new site. My renewal batch files do all of that work automagically on renewal.


Because the CSR already stores the existing certificate domains it covers, my question is more specifically: how do I tell LE64.exe to add a new subdomain to my existing certificate? Do I have to generate a new secret key, etc, etc…?


You can’t change an existing certificate. Certificates are read-only.

You can create a new certificate with three domain names.

The same command you have used -> but not two, instead three domains.


Yeah, more work than I thought. Too bad I couldn’t find step-by-step instructions on the ZeroSSL website to more easily add a domain (or remove one) from an existing setup. I had to generate a new CSR with the new domain added to the others, generate a new key, and then figure out how to integrate it into my normal renewal process. Still trying to figure out how to manually run it “the first time” to generate a cert to begin with, since the LE website is down at this time.

EDIT: site is back up and now my testing is going through. Seems everything works except I still don’t have the DNS entry finalized so it dies at that step. Thanks for the comments everyone, they helped!


You just need to delete the CSR file you have previously created (and used for --csr parameter) and run the command as before, but with specifying additional domain along with old ones in --domains. That’s all.


Nothing on monitoring confirms that, perhaps specific connectivity issue between your location and the website?


There was a big red “maintenance” bar at the top of this website and my test ert attempts wouldn’t connect, so I assumed that the live server and test server are different and during maintenance the test site was unavailable. Since everything is back up now the point is moot.

However, to the other question I had, I think i tried it without the -csr parameter and it complained that I neede to supply a csr so I simply went to the zerossl webpage and generated a new csr and a new key and am using those now. I think it will work as soon as I get my new dns entry added. I had tried the -generate-missing and -generate-only but those also complained. It was a few days ago so I don’t remember the exact error text. at any rate, after I created a new csr & key it should be fine.

1 Like

So I finally got back to this. The problem I’m having is that I added a new domain for a different site so in the LE64.exe parameter list is a “–path” statement. That path is wrong for the new website I added. How do I do the renewal with a different path for a single certificate? This is probably the question I should have asked much sooner in the chain…sorry…


The --path parameter can accept multiple comma-separated paths. In that case the amount of those should match the amount of domains you have specified with --domains. Example:

–domains domain1,domain2,domain3 --path path1,path2,path3

1 Like

Okay one more question. Using this command while logged in as an administrator account and running at a command prompt launched as administrator:

le64.exe --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains ",," --path "\inetpub\wwwroot\.well-known\acme-challenge\,\inetpub\wwwroot\.well-known\acme-challenge\,\inetpub\\cms\.well-known\acme-challenge\" --unlink --issue-code 100

I get the following error:

2019/04/16 16:11:53 [ ZeroSSL Crypt::LE client v0.31 started. ]
2019/04/16 16:11:53 Path to save challenge files into should be a writable directory for: \inetpub\\cms\.well-known\acme-challenge --unlink --issue-code 100

The ACLs are set to [C] for the account the app pool is running under, plus Administrators has [F] and System has [F].


It’s Windows, and I would imagine the paths are on some actual drive, such as C: for example, so they might look like:


However, the actual problem in your case is the trailing backslash before closing quote - this is specific to Windows and this is why you see the rest of parameters along with the path in that error message. Fun fact - if you try to quote the path you posted right here, you will also notice that it is not displayed in the same way here either :slight_smile:


That was it! Thank you, I would have spent days trying things… <3

Now to get our new MVC site to allow raw reads and not insert it’s oversight and mess things up (the challenge response is returning a “real” webpage HTML code due to the CMS…ugh…) Not anything to do with the cert at this point, so thanks again!


Still struggling.

What is the content of the file the challenge writes to the acme-challenge directory? Is it just a text file without a file extension that contains a private key or something like that? Specifically, does it contain any HTML code? I can write to that directory and even view a webpage without logging in, however the challenge file keeps getting denied and has HTML in it.


Yes, just a text file with no extension and a specific “hash” inside it, which you can treat as a set of random readable characters.


You can create a simple file with no extension and with some text inside and try accessing it with your browser. Make sure though to “View source” the resulting page. If you see some HTML there instead of your text, that often means that server is not configured to serve the files with no extension and returns an error page instead. If you see some HTML along with your text, that might mean that the server or CMS are doing some sort of “framing” for example (such as “cloaked redirect” some hosters offer, displaying the content of some other server in the iframe).

1 Like