Howto get multiple certificates for subdomains when using certbot?

x23piracy · 2016-12-12 17:38:01 UTC

Hi,

i am using a vserver with windows 2008 that is running hmail server, my domains mx and a record are pointing to that server.

My other server is also a vserver driving ubuntu 16, on this vserver i host owncloud and roundcube. to access both services i have two additional a records as subdomain owncloud.domain.de and webmail.domain.de

Actually i have a working certificate installed by certbot for the domain owncloud.domain.de, now i also want to t create an additional certificate for webmail.domain.de.

When i execute letsencrypt --apache again it only let me renew my current certificate, how can i get a second one for me other subdomain? when this isnt possible with the automatism how to do it manually?

And how can i later automate the renewal of both certificates when certbot only can automate one?

It’s not possible for me to change the a record for domain.de to the ubuntu server because for working email on the windows 2008 the main a record and mx have to point to this server, else i just could get a cert for domain.de instead for every subdomain.

Regards X23

tialaramex · 2016-12-12 18:02:25 UTC

To get a certificate for webmail.domain.de, it will be necessary to prove control of this name. As I understand it (please correct if I am wrong) this name refers to the Windows 2008 server and so proof would either need to be through DNS records, or by arranging for the Windows 2008 server to successfully pass the proof of control validation.

And of course, to install this certificate (and subsequent renewed versions), so as to make any use of it, will also require changes on the Windows 2008 server.

So, the Apache module definitely can’t help you, because it only deals with names for which the Apache server is answering, and webmail.domain.de isn’t such a name. You could look at the “manual” module in Certbot but this is not very automatic, so I suggest that you investigate whether any suitable client software exists which could run automatically on the Windows 2008 server. If you are comfortable with PowerShell, or with .NET programming you might particularly investigate https://github.com/ebekker/ACMESharp

x23piracy · 2016-12-12 18:07:05 UTC

Hi,

you got me wrong both subdomains point to ubuntu all the rest is pointing to 2008

and i already have a le cert for owncloud.domain.de that is working i just need to create a second one for webmail.domain.de and configure it for the specific host.

What i need to know is howto do what certbot is doing by feet to get the cert files, and howto update this certificates via the commandline, i need to know which steps needs to be done.

For my question the 2008 isn’t neccessary i just want to explain the setup, a records can watched in the upload screenshot, i am already using certbot with success for owncloud.domain.de howto archive this for a second subdomain on same server (ubuntu)?

Regards X23

tialaramex · 2016-12-12 18:22:21 UTC

Aha, yes, I have misunderstood what “roundcube” is, my mistake, sorry.

I don’t know why the Apache plugin for Certbot has not identified webmail.domain.de as a name in your Apache, it can be confused by complicated Apache configurations sometimes.

You could read the documentation for the certonly / web root mode. https://certbot.eff.org/docs/using.html#webroot this is not quite how Certbot usually does things with Apache, but it will work and can still be renewed automatically once you get it working.

x23piracy · 2016-12-12 18:50:03 UTC

I’ve added the virtual host for webmail after i already made one cert for owncloud with certbot, maybe this is why, but howto get certbot into a state where it not only offers me ro renew an existing cert? Lets say reset certbot like it was never there before, maybe then i get the choice for a subdomain… Does certbot detect such virtualhost configurations and present a dropdown?

tialaramex · 2016-12-12 19:15:37 UTC

OK, so I think you can do something like this:

letsencrypt --apache -d webmail.domain.de

And that’ll make a new certificate just for webmail.domain.de

If you’d rather replace the certificate you have now with one that has both names in, you can write

letsencrypt --apache --expand -d owncloud.domain.de -d webmail.domain.de

Since this will all be managed by the same service that’s already (presumably) renewing your existing certificate, you don’t need anything extra to renew the new certificate.

system · 2017-01-11 19:15:49 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.