Merging ceritificates for domain and subdomain


I had running with nginx and certbot, then after some time I added base domain and it also worked fine. After that I tried to clear some things so that all configuration should appear in base domain and not in (i.e. /etc/letsencrypt/live/

However running
certbot certonly --webroot -w /var/www -d --force-renewal didn’t renew the certificates but created a new configuration with new certificates under /etc/letsencrypt/live/

So what is the correct way to merge those certificates into a single certificate? I also would like to get rid of and probably leave only but now I have two sets of certificates and even after reading tons of documenation and topics here didn’t help me a bit. The original intention was to change base domain.


Hi @gngn,

The command you mention above will try to create a certificate that covers only; when using -d, you are specifying every name that should appear in the resulting certificate.

If you run

certbot certonly --webroot -w /var/www -d -d --expand

you should get a single certificate that covers both and; however, it could be saved either into /etc/letsencrypt/live/ or /etc/letsencrypt/live/ (the output from running the command should tell you which directory it was saved into). If this works properly, the other directory can then be deleted, along with its corresponding directory in /etc/letsencrypt/archive and their corresponding file in /etc/letsencrypt/renewal.

In the forthcoming Certbot 0.10.0 release, there will be a way to indicate which existing certificate should be expanded.


Thanks for clarification. I tried different commands:
certbot certonly --webroot -w /var/www -d -d --force-renewal will save the output into the original directory /etc/letsencrypt/live/


certbot certonly --webroot -w /var/www -d --force-renewal will save output to the new directory /etc/letsencrypt/live/

So what would be the best way to handle two existing certificates? Do I need to revoke first or removing the directory as sugested is enough? As I understand, there’s no way to merge those two into a single one?


A certificate is a fixed document with a signature. There is no way to expand or alter it. Maybe the certbot software shouldn’t even give the impression that this was a possible use case.


What the software really does is replace a certificate by a new version (which, in reality, is a separate certificate) which can contain more or fewer names than the existing certificate. Figuring out how to talk about or refer to this process has been pretty tricky. Internally, Certbot refers to “certificate lineages”, which are version-tracked collections of related certificates that can be renewed by requesting new certificates for the same names.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.