Is it possible to issue multiple certificates with a same domain name but different options via certbot?

epopen · September 1, 2022, 8:25am

My domain is:
epopen.com
My web server is (include version):
Apache 2.4.54
The operating system my web server runs on is (include version):
FreeBSD 13.1-RELEASE
I can login to a root shell on my machine (yes or no, or I don't know):
yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot-1.29.0

Hi All

I tried to add feature of " OCSP Must Staple" into my certificate and configure as follows.

renew_before_expiry = 30 days
version = 1.29.0
[renewalparams]
account = 8b9773455c991b941e14dc0e18b7973b
dns_rfc2136_propagation_seconds = 30
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = dns-rfc2136
pre_hook = ""
post_hook = ""
rsa_key_size = 4096
key_type = ecdsa
elliptic_curve = secp384r1
must_staple = True

must_staple = True was added.

It work fine with web server.
But TLS handshake failed with email(Postfix/Courier-imap)/ftp(VsFTPd) server.
Because above server does not support OCSP Must Staple feature.

As subject, is possible

Certificate file with must_staple = True for web server?
Certificate file with must_staple = False/empty for email/ftp server?

Thanks a lot.
Neko

_az · September 1, 2022, 8:30am

Sure, you can create two different certificates for the same domain by passing --cert-name. e.g.

certbot certonly -d example.com 

certbot certonly --cert-name example.com-stapled -d example.com --must-staple

epopen · September 1, 2022, 9:16am

Thanks you reply quick, very helpful.

Only one question, is renew procedure correct as follows?

certbot renew

certbot renew --cert-name example.com-stapled --must-staple

Thanks a lot.

_az · September 1, 2022, 9:21am

You can't use renew to create a new certificate. Passing --cert-name to renew means: renew only this one certificate.

You should first create two separate certificates using certonly, with differing names and flags.

Then, Certbot will automatically take care of renewing them both for you.

epopen · September 1, 2022, 9:35am

Thanks you a lot.

I will remove must_staple = True from above configure file for common options to two new certificates.

Sorry I confused about section of [renewalparams] in configure file.
I assume these options in the section always reference when renew procedure.

Osiris · September 1, 2022, 4:59pm

However, you can change the contents of a certificate using the renew subcommand. Not sure if OP meant such a thing, but it should be possible to add the "must staple" extension to a certificate. But indeed, creating a whole new lineage isn't possible.

It's not recommended to manually edit the renewal configuration files. Unless you know exactly what you're doing I guess

epopen · September 2, 2022, 2:16am

Thanks you
I saved configure file by local git because above reason
My understand updated as follow

Options using argument of certbot certonly procedure.
Options update into configure file automatically by certbot.
Options implant new certificate file.
Take options from certificate file when certbot renew procedure.
Configure file using for human inspection only.
One shot of certbot renew procedure can be renew multiple certificate file.
(I consider it because certbot execute once only in periodic renew scripts by official package)

Please correct it if incorrect.

Osiris · September 2, 2022, 6:18am

I'm not sure I understand what you mean.

epopen · September 2, 2022, 6:58am

Sorry poor English.
Shortly, is configure file not use at certonly and renew procedure?
If true which one use configure file?

Thank a lot

rg305 · September 2, 2022, 3:14pm

The configuration files are used at each renewal.
They tell certbot all that it needs to know about each cert and how to renew it.

Osiris · September 2, 2022, 4:04pm

Certbot uses it internally. As a user, you should not have to touch the renewal configuration file(s).

epopen · September 5, 2022, 7:31am

I understood.

Thank you for your guidance

epopen · September 5, 2022, 7:32am

After applied --cert-name example.com-stapled and tested,

Got new objects as follows.

renewal/example.com-stapled.conf
live/example.com-stapled
archive/example.com-stapled

My doubts have been resolved because all of separate.
Thanks you a lot

But try too many times to reach the limit, therefore other try after 7 days.

epopen · September 19, 2022, 2:25pm

Thanks all very much.
Problem solved.

system · October 19, 2022, 2:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.