How to renew a certificate AND add and extra name on the certificate?

raphael10-collab · June 8, 2021, 9:18am

My domain is: grasp.deals

I want to renew my certificate but also ADD an extra certification for conference.grasp.deals, needed for XMPP Server .

I tried in this way:

(base) raphy@pc:~$ sudo certbot renew -d conference.grasp.deals
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be 
renewed or renewing a single certificate specified by its name. If you would like to renew specific  
certificates by their domains, use the certonly command instead. The renew verb may provide other 
options for selecting certificates to renew in the future.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log
/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.



(base) raphy@pc:~$ sudo certbot -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: grasp.deals
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): grasp.deals conference.grasp.deals
** Error - Invalid selection **

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: grasp.deals
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): c
Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name    
for an existing certificate name.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log
/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

_az · June 8, 2021, 9:52am

Usually you need to specify the full list of domains you want. You could try:

certbot --nginx --cert-name grasp.deals \
-d grasp.deals -d www.grasp.deals -d conference.grasp.deals

and it will renew the existing certificate with all 3 domains.

raphael10-collab · June 8, 2021, 9:58am

Thank you!

I had to use --cert-name :

(base) raphy@pc:~$ sudo certbot --nginx --cert-name grasp.deals \
> -d grasp.deals -d conference.grasp.deals
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate grasp.deals to include new domain(s):
+ conference.grasp.deals

You are also removing previously included domain(s):
(None)

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate certificate/(C)ancel: U
Renewing an existing certificate for grasp.deals and conference.grasp.deals

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/grasp.deals/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/grasp.deals/privkey.pem
This certificate expires on 2021-09-06.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for grasp.deals to /etc/nginx/conf.d/default.conf
Successfully deployed certificate for conference.grasp.deals to /etc/nginx/conf.d/default.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.

rg305 · June 8, 2021, 3:12pm

Although that may get a cert with multiple names...
The config only seems to be using one single name.
You should always start with having a fully functional HTTP config (for all names) before proceeding to get/use certificates.

raphael10-collab · June 8, 2021, 3:24pm

@rg305

I do not understand.
Does it mean that I got only the certificate from grasp.deals and not also for conference.grasp.deals ?
Why this happened and how to correct it in order to add the extra name also for conference.grasp.deals?

griffin · June 8, 2021, 4:13pm

You can see the complete certificate history for grasp.deals here:

https://crt.sh/?q=grasp.deals

You still don't have the correct certificate since you have www.grasp.deals in your DNS and did not include it in your certificate. Per what @_az said, here's the correct command:

certbot --cert-name grasp.deals --nginx -d "grasp.deals,www.grasp.deals,conference.grasp.deals"

What @rg305 is meaning is that it doesn't appear that your nginx configuration has a server_name for conference.grasp.deals.

You can read more about that here:

http://nginx.org/en/docs/http/server_names.html

@rg305

As a side note, why doesn't nginx.org have an http to https redirect?

raphael10-collab · June 8, 2021, 4:38pm

This is the complete /etc/nginx/conf.d/default.conf :

(base) raphy@pc:~$ sudo cat /etc/nginx/conf.d/default.conf
server {
    listen 443 ssl http2 default_server;
    server_name grasp.deals www.grasp.deals;
    ssl_certificate /etc/letsencrypt/live/grasp.deals/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/grasp.deals/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/grasp.deals/chain.pem;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;

    access_log /var/log/nginx/graspdeals-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }

    location / {

        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /weights {
        root /home/marco/www;
        try_files $uri $uri/ =404;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       # Following is necessary for Websocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /http-bind {
        proxy_pass http://127.0.0.1:5280/http-bind;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        tcp_nodelay on;
    }

    location /xmpp-websocket {
        proxy_http_version 1.1;
        proxy_pass http://127.0.0.1:5280;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400;
    }
}


upstream websocket {
    ip_hash;
    server localhost:3000;
}


server {
    listen 81;
    server_name grasp.deals www.grasp.deals;

    location ~ ^/(websocket|websocket\/socket-io) {
        proxy_pass http://127.0.0.1:4201;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Forwared-For $remote_addr;
        proxy_set_header Host $host;

        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location /http-bind {
        proxy_pass http://127.0.0.1:5280/http-bind;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        tcp_nodelay on;
    }

    location /xmpp-websocket {
      proxy_http_version 1.1;
      proxy_pass http://127.0.0.1:5280;
      proxy_buffering off;
      proxy_set_header Host $host;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_read_timeout 86400;
    }
}

upstream golang-webserver {
    ip_hash;
   server 127.0.0.1:2000;
}

server {
    root /puser/add;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
 draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD
5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;

    location / {
        proxy_pass http://golang-webserver;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

server {
    if ($host = grasp.deals) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name grasp.deals;
    listen 80;
    return 404; # managed by Certbot
}

server {
    listen 443 ssl http2 ;
    server_name conference.grasp.deals; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/grasp.deals/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/grasp.deals/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/grasp.deals/chain.pem;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;

    access_log /var/log/nginx/graspdeals-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }

    location / {

        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /weights {
        root /home/marco/www;
        try_files $uri $uri/ =404;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # Following is necessary for Websocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }


    location /http-bind {
        proxy_pass http://127.0.0.1:5280/http-bind;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        tcp_nodelay on;
    }

    location /xmpp-websocket {
        proxy_http_version 1.1;
        proxy_pass http://127.0.0.1:5280;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400;
    }
}

So, as far as I understand, there is already a server_name conference.grasp.deals within nginx configuration. Or am I wrong?

raphael10-collab · June 8, 2021, 4:47pm

(base) raphy@pc:~$ sudo certbot --cert-name grasp.deals --nginx -d  
"grasp.deals,www.grasp.deals,conference.grasp.deals"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate grasp.deals to include new domain(s):
+ www.grasp.deals

You are also removing previously included domain(s):
(None)

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate certificate/(C)ancel: U
Renewing an existing certificate for grasp.deals and 2 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/grasp.deals/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/grasp.deals/privkey.pem
This certificate expires on 2021-09-06.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for grasp.deals to /etc/nginx/conf.d/default.conf
Successfully deployed certificate for www.grasp.deals to /etc/nginx/conf.d/default.conf
Successfully deployed certificate for conference.grasp.deals to /etc/nginx/conf.d/default.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.

griffin · June 8, 2021, 4:57pm

There's no port 80 server block with a server_name of conference.grasp.deals, so the port 80 server block (that's missing default_server) with server_name grasp.deals is being used.
There's no port 80 server block with a server_name of www.grasp.deals, so the port 80 server block (that's missing default_server) with server_name grasp.deals is being used.
There's a port 81 server block!?
You now have a correct certificate.

raphael10-collab · June 8, 2021, 5:13pm

I added a port 80 server block with server_name conference.grasp.deals in /etc/nginx/conf.d/default.conf :

server {
    listen 80 ssl http2;
    server_name conference.grasp.deals www.grasp.deals;
    ssl_certificate /etc/letsencrypt/live/grasp.deals/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/grasp.deals/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;

    access_log /var/log/nginx/graspdeals-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /weights {
        root /home/marco/www;
        try_files $uri $uri/ =404;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # Following is necessary for Websocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }


    location /http-bind {
        proxy_pass http://127.0.0.1:5280/http-bind;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        tcp_nodelay on;
    }

    location /xmpp-websocket {
        proxy_http_version 1.1;
        proxy_pass http://127.0.0.1:5280;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400;
    }
}

Do I need to re-issue the certificate after adding this port 80 server block with conference.grasp.deals as server_name?

griffin · June 8, 2021, 5:14pm

You added an SSL-enabled port 80, which won't work.

griffin · June 8, 2021, 5:17pm

Get rid of the block you just created.

Change this:

server {
    if ($host = grasp.deals) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name grasp.deals;
    listen 80;
    return 404; # managed by Certbot
}

To this:

server {
    if ($host = grasp.deals) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = www.grasp.deals) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = conference.grasp.deals) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name grasp.deals www.grasp.deals conference.grasp.deals;
    listen 80 default_server;
    return 404; # managed by Certbot
}

Nope. You just need to reload nginx:

sudo nginx -s reload

raphael10-collab · June 8, 2021, 5:24pm

Thank you very much for your very kind help

griffin · June 8, 2021, 5:30pm

You're very welcome.

I know how confusing these things can be.

system · July 8, 2021, 5:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.