Is it possible to issue multiple certificates with a same domain name but different options via certbot?

My domain is:
epopen.com
My web server is (include version):
Apache 2.4.54
The operating system my web server runs on is (include version):
FreeBSD 13.1-RELEASE
I can login to a root shell on my machine (yes or no, or I don't know):
yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot-1.29.0

Hi All

I tried to add feature of " OCSP Must Staple" into my certificate and configure as follows.

renew_before_expiry = 30 days
version = 1.29.0
[renewalparams]
account = 8b9773455c991b941e14dc0e18b7973b
dns_rfc2136_propagation_seconds = 30
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = dns-rfc2136
pre_hook = ""
post_hook = ""
rsa_key_size = 4096
key_type = ecdsa
elliptic_curve = secp384r1
must_staple = True

must_staple = True was added.

It work fine with web server.
But TLS handshake failed with email(Postfix/Courier-imap)/ftp(VsFTPd) server.
Because above server does not support OCSP Must Staple feature.

As subject, is possible

  • Certificate file with must_staple = True for web server?
  • Certificate file with must_staple = False/empty for email/ftp server?

Thanks a lot.
Neko

Sure, you can create two different certificates for the same domain by passing --cert-name. e.g.

certbot certonly -d example.com 

certbot certonly --cert-name example.com-stapled -d example.com --must-staple
4 Likes

Thanks you reply quick, very helpful.

Only one question, is renew procedure correct as follows?

certbot renew

certbot renew --cert-name example.com-stapled --must-staple

Thanks a lot.

1 Like

You can't use renew to create a new certificate. Passing --cert-name to renew means: renew only this one certificate.

You should first create two separate certificates using certonly, with differing names and flags.

Then, Certbot will automatically take care of renewing them both for you.

4 Likes

Thanks you a lot.

I will remove must_staple = True from above configure file for common options to two new certificates. :grinning:

Sorry I confused about section of [renewalparams] in configure file.
I assume these options in the section always reference when renew procedure. :sweat_smile:

1 Like

However, you can change the contents of a certificate using the renew subcommand. Not sure if OP meant such a thing, but it should be possible to add the "must staple" extension to a certificate. But indeed, creating a whole new lineage isn't possible.

It's not recommended to manually edit the renewal configuration files. Unless you know exactly what you're doing I guess :slight_smile:

5 Likes

Thanks you :grinning:
I saved configure file by local git because above reason :laughing:
My understand updated as follow

  • Options using argument of certbot certonly procedure.
  • Options update into configure file automatically by certbot.
  • Options implant new certificate file.
  • Take options from certificate file when certbot renew procedure.
  • Configure file using for human inspection only.
  • One shot of certbot renew procedure can be renew multiple certificate file.
    (I consider it because certbot execute once only in periodic renew scripts by official package)

Please correct it if incorrect. :slightly_smiling_face:

2 Likes

I'm not sure I understand what you mean.

3 Likes

Sorry poor English. :sweat_smile:
Shortly, is configure file not use at certonly and renew procedure?
If true which one use configure file?

Thank a lot

1 Like

The configuration files are used at each renewal.
They tell certbot all that it needs to know about each cert and how to renew it.

3 Likes

Certbot uses it internally. As a user, you should not have to touch the renewal configuration file(s).

4 Likes

I understood.

Thank you for your guidance :grinning:

After applied --cert-name example.com-stapled and tested,

Got new objects as follows.

  • renewal/example.com-stapled.conf
  • live/example.com-stapled
  • archive/example.com-stapled

My doubts have been resolved because all of separate.
Thanks you a lot :grinning:

But try too many times to reach the limit, therefore other try after 7 days. :sweat_smile: :sweat_smile: :sweat_smile:

1 Like

Thanks all very much.
Problem solved. :smile:

2 Likes