How to correctly use Certbot to update or change domains?


We are having a heck of a time getting Certbot to behave properly when we want to issue new certificates after having changed webserver configuration.

This applies equally to Apache and NginX

What we first did was we’d just run Certbot again. Say we’d run Certbot once like so:

certbot --webroot-path /var/www/html --authenticator webroot --installer apache --expand --non-interactive --agree-tos --domains --redirect

and again like so

certbot --webroot-path /var/www/html --authenticator webroot --installer apache --expand --non-interactive --agree-tos --domains, --redirect

What we found was that it would then complain about existing configuration which Certbot itself had created for the webserver. This was only a problem on Apache I believe (should be easy to reproduce)

Then we started issuing a rollback command first. This solved the issue, somewhat, but now we have a bit of a catch 22: Certbot really likes, especially when it comes to Apache, that servernames are set up in the webserver config first.

But if we do that before the rollback, then that new config is lost and Certbot will fail. So now we have to do:

Certbot rollback
Set server names
Run Certbot

Again, this gets a bit funky if the user has done any customization to their webserver config before we do this, as then that config will be lost.

Is there any “right way” of doing this?

I.e. any way of getting Certbot to understand that I have already updated server names in my webserver config and that I just want to update the list of domains?

Does this all maybe just stem from buggyness in how Certbot handles Apache, and we were doing the correct thing all along, and this is something I should post in the issue tracker instead?

Can you share the exact wording of the complaint?

Alright I just tried it again now where I ran Certbot with a single domain, and then added a second on Apache

I haven’t done this in a while as we - as mentioned - switched to doing rollback in order to avoid problems. In any case, possibly Certbot has been updated since as now I don’t get a fatal error. I do however get an error:

Enhancement redirect was already set.

Meaning, it looks like the redirect which was set during the first run of Certbot is not being updated with a redirect for the new domain on the second run.

In any case, are you essentially saying that it is fundamentally correct and OK to just run Certbot over and over again specifying new domains - as long as we have defined those domains in our webserver config…?

Did you add the second domain to the same VirtualHost in apache, or a new one?

Is the second domain actually redirecting, or not?

Yes. However, if you'll be doing this more than 20 times a week, keep an eye on the rate limits. Adding a domain to a certificate counts as issuing a new certificate containing both the old and new names, so it counts towards the rate limit for both (if they're different).

I added the second domain to the same virtualhost

The domain is not redirecting

We have gotten our rate limits raised quite a bit, so that’s not a concern

As it seems we were originally doing the right thing, and what we saw was probably a Certbot bug, I will revert to our old system behavior - and then I’ll post in the Certbot issue tracker when / if we see issues in the future.

I’ll try and remember to post back here if I run into something relevant.

I should probably start with posting this issue with redirects … It seems like a bug.

Yeah, it doesn’t seem to expand the existing redirect to cover the new domain, which it seems like it probably should.

I have posted in the issue tracker a fairly detailed summary of what we are up against:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.