I wanted four certificates but get one

My domains are:
ptif.co.uk, www.ptif.co.uk, ptifscreen.co.uk, www.ptifscreen.co.uk

I ran this command:

certbot certonly \
--test-cert \
--break-my-certs \
--expand \
--webroot \
--webroot-path /tmp/acme-challenge-screen \
-d ptifscreen.co.uk \
-d www.ptifscreen.co.uk \
--webroot-path /tmp/acme-challenge \
-d ptif.co.uk \
-d www.ptif.co.uk \
--agree-tos \
--email john@fernholt.myzen.co.uk \
--verbose \
--rsa-key-size 4096 \
--keep-until-expiring \

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for ptifscreen.co.uk and 3 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ptifscreen.co.uk/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/ptifscreen.co.uk/privkey.pem
This certificate expires on 2023-10-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

My web server is (include version):

I am using the Nginx Docker image: nginx:latest
Nginx is in a Docker Container, Certbot is Not in a Container. Certbot is installed on the host.

The operating system my web server runs on is (include version):
Debian GNU/Linux 11 (bullseye)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
I can login as root.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Not using control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I am using certbot 2.6.0

My Problem

I am running the certbot command and hoping to get four certificates but I am only getting one (ptifscreen.co.uk).
I am running Nginx is a Docker Container. Certbot is installed on the host.

Running the certbot command works and doesn't error, but only one certificate is created.

The nginx conf file to create the certificates is:

server {
    listen 80;
    listen [::]:80;
    server_name ptifscreen.co.uk www.ptifscreen.co.uk;

    location /.well-known/acme-challenge/ {
        root /tmp/acme-challenge-screen;

    location / {
	root /usr/share/nginx/html;
	index index.html;

server {
    listen 80;
    listen [::]:80;
    server_name ptif.co.uk www.ptif.co.uk;

    location /.well-known/acme-challenge/ {
        root /tmp/acme-challenge;
    location / {
	root /usr/share/nginxptif/html;
	index index.html;

To create the Certificate only, I use this Docker compose file. I use a different one to serve the targets as a reverse proxy after the certificate has been installed.:

version: '3.7'


    image: nginx:latest
    container_name: nginx
      - "80:80"
      - ./config/nginx_init:/etc/nginx/conf.d
      - /etc/letsencrypt:/etc/letsencrypt:ro
      - /tmp/acme-challenge:/tmp/acme-challenge
      - /var/log/nginx:/var/log/nginx
      - ./config/tmpsite:/usr/share/nginx/html
      - ./config/tmpsiteptif:/usr/share/nginxptif/html

As far as I know each certbot request/renewal results in one certificate, to get multiple certificate you'd call certbot multiple times.


Thank you very much for your reply but I'm not sure that is correct - or maybe I misunderstood you.

If I run the certbot command again I get:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


  1. The response says Requesting a certificate for ptifscreen.co.uk and 3 more domains. So it sounds like letsencrypt does understand that I'm requesting more than one.

Though that does sound as if it is a request for one certificate but for four domains.

  1. The letsencrypt log file had this in a http response which suggests that it successfully understood I was asking for four.
  "status": "valid",
  "expires": "2023-07-10T06:56:55Z",
  "identifiers": [
      "type": "dns",
      "value": "ptif.co.uk"
      "type": "dns",
      "value": "ptifscreen.co.uk"
      "type": "dns",
      "value": "www.ptif.co.uk"
      "type": "dns",
      "value": "www.ptifscreen.co.uk"
  1. The log file has this success response:
    2023-07-03 06:56:58,365:DEBUG:acme.client:Received response:
    which also contained three certificates. Three was interesting, I asked for four and it knew about four.

Ha, no problem, you can disagree but it doesn't change how certbot works.

I probably wasn't clear in my response, it's perfectly normal for a single certificate to cover multiple domains (or subdomains) and that's currently what your asking it for and getting, whether you want that or not. You need to issue a separate certbot command for each cert.

Yes it could probably be phrased more clearly in the user interface, but now you know what's happening you can just issue multiple commands instead of one.


Thanks a lot @webprofusion . I really appreciate your time. Sorry for thinking that you might be wrong. A bit daft given that deeply understand this stuff and you've created a cool tool to manage it.

Anyway, I now have multiple certificates - two rather than four because I decided to remove the www options. But...

One last question hopefully. So can I actually serve two domains from one certificate? And was I wrong to want two certificates in this scenario?
I'm getting an insecure certificate but from (STAGING) Pretend Pear even though I have removed the --test-cert \ flag.

1 Like

A Let's Encrypt certificate can contain up to 100 (!) hostnames.


Thank you

1 Like

We should review the certs being managed with:
certbot certificates


Yes I found that. Very useful indeed. Thanks

1 Like

Does it show the right domains being covered?


Yes. It's all good now. Thanks. And sorry for the slow reply.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.