Merging ceritificates for domain and subdomain


#1

I had r.example.com running with nginx and certbot, then after some time I added base domain example.com and it also worked fine. After that I tried to clear some things so that all configuration should appear in base domain example.com and not in r.example.com (i.e. /etc/letsencrypt/live/r.example.com).

However running
certbot certonly --webroot -w /var/www -d example.com --force-renewal didn’t renew the certificates but created a new configuration with new certificates under /etc/letsencrypt/live/example.com

So what is the correct way to merge those certificates into a single certificate? I also would like to get rid of r.example.com and probably leave only example.com but now I have two sets of certificates and even after reading tons of documenation and topics here didn’t help me a bit. The original intention was to change base domain.


#2

Hi @gngn,

The command you mention above will try to create a certificate that covers only example.com; when using -d, you are specifying every name that should appear in the resulting certificate.

If you run

certbot certonly --webroot -w /var/www -d example.com -d r.example.com --expand

you should get a single certificate that covers both example.com and r.example.com; however, it could be saved either into /etc/letsencrypt/live/example.com or /etc/letsencrypt/live/r.example.com (the output from running the command should tell you which directory it was saved into). If this works properly, the other directory can then be deleted, along with its corresponding directory in /etc/letsencrypt/archive and their corresponding file in /etc/letsencrypt/renewal.

In the forthcoming Certbot 0.10.0 release, there will be a way to indicate which existing certificate should be expanded.


#3

Thanks for clarification. I tried different commands:
certbot certonly --webroot -w /var/www -d example.com -d r.example.com --force-renewal will save the output into the original directory /etc/letsencrypt/live/r.example.com

and

certbot certonly --webroot -w /var/www -d example.com --force-renewal will save output to the new directory /etc/letsencrypt/live/example.com

So what would be the best way to handle two existing certificates? Do I need to revoke r.example.com first or removing the directory as sugested is enough? As I understand, there’s no way to merge those two into a single one?


#4

A certificate is a fixed document with a signature. There is no way to expand or alter it. Maybe the certbot software shouldn’t even give the impression that this was a possible use case.


#5

What the software really does is replace a certificate by a new version (which, in reality, is a separate certificate) which can contain more or fewer names than the existing certificate. Figuring out how to talk about or refer to this process has been pretty tricky. Internally, Certbot refers to “certificate lineages”, which are version-tracked collections of related certificates that can be renewed by requesting new certificates for the same names.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.